Vulnerabilites related to apache - wicket
cve-2012-5636
Vulnerability from cvelistv5
Published
2017-10-30 19:00
Modified
2024-08-06 21:14
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.22, 1.5.x before 1.5.10, and 6.x before 6.4.0 might allow remote attackers to inject arbitrary web script or HTML via vectors related to <script> tags in a rendered response.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wicket.apache.org/news/2013/03/03/cve-2012-5636.html | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/101644 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:14:16.232Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wicket.apache.org/news/2013/03/03/cve-2012-5636.html"
},
{
"name": "101644",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/101644"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-03-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.22, 1.5.x before 1.5.10, and 6.x before 6.4.0 might allow remote attackers to inject arbitrary web script or HTML via vectors related to \u003cscript\u003e tags in a rendered response."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-11-03T09:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wicket.apache.org/news/2013/03/03/cve-2012-5636.html"
},
{
"name": "101644",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/101644"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-5636",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.22, 1.5.x before 1.5.10, and 6.x before 6.4.0 might allow remote attackers to inject arbitrary web script or HTML via vectors related to \u003cscript\u003e tags in a rendered response."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wicket.apache.org/news/2013/03/03/cve-2012-5636.html",
"refsource": "CONFIRM",
"url": "https://wicket.apache.org/news/2013/03/03/cve-2012-5636.html"
},
{
"name": "101644",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/101644"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-5636",
"datePublished": "2017-10-30T19:00:00",
"dateReserved": "2012-10-24T00:00:00",
"dateUpdated": "2024-08-06T21:14:16.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2012-0047
Vulnerability from cvelistv5
Published
2012-03-23 18:00
Modified
2024-08-06 18:09
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the wicket:pageMapName parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://exchange.xforce.ibmcloud.com/vulnerabilities/74273 | vdb-entry, x_refsource_XF | |
| http://archives.neohapsis.com/archives/bugtraq/2012-03/0112.html | mailing-list, x_refsource_BUGTRAQ | |
| http://osvdb.org/80300 | vdb-entry, x_refsource_OSVDB | |
| http://www.securitytracker.com/id?1026839 | vdb-entry, x_refsource_SECTRACK | |
| http://wicket.apache.org/2012/03/22/wicket-cve-2012-0047.html | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T18:09:17.246Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "apache-wicket-unspec-xss(74273)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74273"
},
{
"name": "20120322 [CVE-2012-0047] Apache Wicket XSS vulnerability via pageMapName request parameter",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-03/0112.html"
},
{
"name": "80300",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/80300"
},
{
"name": "1026839",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id?1026839"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://wicket.apache.org/2012/03/22/wicket-cve-2012-0047.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-03-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the wicket:pageMapName parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-05T19:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "apache-wicket-unspec-xss(74273)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74273"
},
{
"name": "20120322 [CVE-2012-0047] Apache Wicket XSS vulnerability via pageMapName request parameter",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-03/0112.html"
},
{
"name": "80300",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/80300"
},
{
"name": "1026839",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id?1026839"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://wicket.apache.org/2012/03/22/wicket-cve-2012-0047.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-0047",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the wicket:pageMapName parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "apache-wicket-unspec-xss(74273)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74273"
},
{
"name": "20120322 [CVE-2012-0047] Apache Wicket XSS vulnerability via pageMapName request parameter",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-03/0112.html"
},
{
"name": "80300",
"refsource": "OSVDB",
"url": "http://osvdb.org/80300"
},
{
"name": "1026839",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id?1026839"
},
{
"name": "http://wicket.apache.org/2012/03/22/wicket-cve-2012-0047.html",
"refsource": "CONFIRM",
"url": "http://wicket.apache.org/2012/03/22/wicket-cve-2012-0047.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-0047",
"datePublished": "2012-03-23T18:00:00",
"dateReserved": "2011-12-07T00:00:00",
"dateUpdated": "2024-08-06T18:09:17.246Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-6793
Vulnerability from cvelistv5
Published
2017-07-14 20:00
Modified
2024-08-06 01:43
Severity ?
EPSS score ?
Summary
The DiskFileItem class in Apache Wicket 6.x before 6.25.0 and 1.5.x before 1.5.17 allows remote attackers to cause a denial of service (infinite loop) and write to, move, and delete files with the permissions of DiskFileItem, and if running on a Java VM before 1.3.1, execute arbitrary code via a crafted serialized Java object.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securitytracker.com/id/1037541 | vdb-entry, x_refsource_SECTRACK | |
| http://www.securityfocus.com/archive/1/539975/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://www.openwall.com/lists/oss-security/2016/12/31/1 | mailing-list, x_refsource_MLIST | |
| https://wicket.apache.org/news/2016/12/31/cve-2016-6793.html | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/95168 | vdb-entry, x_refsource_BID | |
| https://www.tenable.com/security/research/tra-2016-23 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T01:43:37.781Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "1037541",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1037541"
},
{
"name": "20161231 Fwd: [ANNOUNCE] CVE-2016-6793 Apache Wicket deserialization vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/539975/100/0/threaded"
},
{
"name": "[oss-security] 20161231 Fwd: [ANNOUNCE] CVE-2016-6793 Apache Wicket deserialization vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/12/31/1"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wicket.apache.org/news/2016/12/31/cve-2016-6793.html"
},
{
"name": "95168",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/95168"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.tenable.com/security/research/tra-2016-23"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-08-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The DiskFileItem class in Apache Wicket 6.x before 6.25.0 and 1.5.x before 1.5.17 allows remote attackers to cause a denial of service (infinite loop) and write to, move, and delete files with the permissions of DiskFileItem, and if running on a Java VM before 1.3.1, execute arbitrary code via a crafted serialized Java object."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-24T18:01:19",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "1037541",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1037541"
},
{
"name": "20161231 Fwd: [ANNOUNCE] CVE-2016-6793 Apache Wicket deserialization vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/539975/100/0/threaded"
},
{
"name": "[oss-security] 20161231 Fwd: [ANNOUNCE] CVE-2016-6793 Apache Wicket deserialization vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/12/31/1"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wicket.apache.org/news/2016/12/31/cve-2016-6793.html"
},
{
"name": "95168",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/95168"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.tenable.com/security/research/tra-2016-23"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-6793",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The DiskFileItem class in Apache Wicket 6.x before 6.25.0 and 1.5.x before 1.5.17 allows remote attackers to cause a denial of service (infinite loop) and write to, move, and delete files with the permissions of DiskFileItem, and if running on a Java VM before 1.3.1, execute arbitrary code via a crafted serialized Java object."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "1037541",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1037541"
},
{
"name": "20161231 Fwd: [ANNOUNCE] CVE-2016-6793 Apache Wicket deserialization vulnerability",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/539975/100/0/threaded"
},
{
"name": "[oss-security] 20161231 Fwd: [ANNOUNCE] CVE-2016-6793 Apache Wicket deserialization vulnerability",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/12/31/1"
},
{
"name": "https://wicket.apache.org/news/2016/12/31/cve-2016-6793.html",
"refsource": "CONFIRM",
"url": "https://wicket.apache.org/news/2016/12/31/cve-2016-6793.html"
},
{
"name": "95168",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/95168"
},
{
"name": "https://www.tenable.com/security/research/tra-2016-23",
"refsource": "MISC",
"url": "https://www.tenable.com/security/research/tra-2016-23"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-6793",
"datePublished": "2017-07-14T20:00:00",
"dateReserved": "2016-08-12T00:00:00",
"dateUpdated": "2024-08-06T01:43:37.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2011-2712
Vulnerability from cvelistv5
Published
2011-08-29 15:00
Modified
2024-08-06 23:08
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.18, when setAutomaticMultiWindowSupport is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/45727 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securitytracker.com/id?1025976 | vdb-entry, x_refsource_SECTRACK | |
| http://securityreason.com/securityalert/8357 | third-party-advisory, x_refsource_SREASON | |
| http://www.securityfocus.com/bid/49290 | vdb-entry, x_refsource_BID | |
| http://wicket.apache.org/2011/08/23/cve-2011-2712.html | x_refsource_CONFIRM | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/69394 | vdb-entry, x_refsource_XF | |
| http://www.securityfocus.com/archive/1/519398/100/0/threaded | mailing-list, x_refsource_BUGTRAQ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T23:08:23.896Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "45727",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/45727"
},
{
"name": "1025976",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id?1025976"
},
{
"name": "8357",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/8357"
},
{
"name": "49290",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/49290"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://wicket.apache.org/2011/08/23/cve-2011-2712.html"
},
{
"name": "apache-wicket-multi-window-xss(69394)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/69394"
},
{
"name": "20110823 [CVE-2011-2712] Apache Wicket XSS vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/519398/100/0/threaded"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2011-08-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.18, when setAutomaticMultiWindowSupport is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified parameters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "45727",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/45727"
},
{
"name": "1025976",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id?1025976"
},
{
"name": "8357",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/8357"
},
{
"name": "49290",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/49290"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://wicket.apache.org/2011/08/23/cve-2011-2712.html"
},
{
"name": "apache-wicket-multi-window-xss(69394)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/69394"
},
{
"name": "20110823 [CVE-2011-2712] Apache Wicket XSS vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/519398/100/0/threaded"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2011-2712",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.18, when setAutomaticMultiWindowSupport is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified parameters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "45727",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/45727"
},
{
"name": "1025976",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id?1025976"
},
{
"name": "8357",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/8357"
},
{
"name": "49290",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/49290"
},
{
"name": "http://wicket.apache.org/2011/08/23/cve-2011-2712.html",
"refsource": "CONFIRM",
"url": "http://wicket.apache.org/2011/08/23/cve-2011-2712.html"
},
{
"name": "apache-wicket-multi-window-xss(69394)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/69394"
},
{
"name": "20110823 [CVE-2011-2712] Apache Wicket XSS vulnerability",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/519398/100/0/threaded"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2011-2712",
"datePublished": "2011-08-29T15:00:00",
"dateReserved": "2011-07-11T00:00:00",
"dateUpdated": "2024-08-06T23:08:23.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-7808
Vulnerability from cvelistv5
Published
2017-09-15 20:00
Modified
2024-08-06 13:03
Severity ?
EPSS score ?
Summary
Apache Wicket before 1.5.13, 6.x before 6.19.0, and 7.x before 7.0.0-M5 make it easier for attackers to defeat a cryptographic protection mechanism and predict encrypted URLs by leveraging use of CryptoMapper as the default encryption provider.
References
| ▼ | URL | Tags |
|---|---|---|
| http://mail-archives.apache.org/mod_mbox/wicket-users/201502.mbox/%3CCAMomwMpLPDYezc=iFofm1R1Uq37vUFJ8VC-_ex5SU8-HAKBoRw%40mail.gmail.com%3E | mailing-list, x_refsource_MLIST | |
| https://www.smrrd.de/cve-2014-7808-apache-wicket-csrf-2014.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:03:27.296Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[wicket-users] 20150218 CVE-2014-7808",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://mail-archives.apache.org/mod_mbox/wicket-users/201502.mbox/%3CCAMomwMpLPDYezc=iFofm1R1Uq37vUFJ8VC-_ex5SU8-HAKBoRw%40mail.gmail.com%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.smrrd.de/cve-2014-7808-apache-wicket-csrf-2014.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-02-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache Wicket before 1.5.13, 6.x before 6.19.0, and 7.x before 7.0.0-M5 make it easier for attackers to defeat a cryptographic protection mechanism and predict encrypted URLs by leveraging use of CryptoMapper as the default encryption provider."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-15T19:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[wicket-users] 20150218 CVE-2014-7808",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://mail-archives.apache.org/mod_mbox/wicket-users/201502.mbox/%3CCAMomwMpLPDYezc=iFofm1R1Uq37vUFJ8VC-_ex5SU8-HAKBoRw%40mail.gmail.com%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.smrrd.de/cve-2014-7808-apache-wicket-csrf-2014.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-7808",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Wicket before 1.5.13, 6.x before 6.19.0, and 7.x before 7.0.0-M5 make it easier for attackers to defeat a cryptographic protection mechanism and predict encrypted URLs by leveraging use of CryptoMapper as the default encryption provider."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[wicket-users] 20150218 CVE-2014-7808",
"refsource": "MLIST",
"url": "http://mail-archives.apache.org/mod_mbox/wicket-users/201502.mbox/%3CCAMomwMpLPDYezc=iFofm1R1Uq37vUFJ8VC-_ex5SU8-HAKBoRw@mail.gmail.com%3E"
},
{
"name": "https://www.smrrd.de/cve-2014-7808-apache-wicket-csrf-2014.html",
"refsource": "MISC",
"url": "https://www.smrrd.de/cve-2014-7808-apache-wicket-csrf-2014.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2014-7808",
"datePublished": "2017-09-15T20:00:00",
"dateReserved": "2014-10-03T00:00:00",
"dateUpdated": "2024-08-06T13:03:27.296Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-2055
Vulnerability from cvelistv5
Published
2014-02-10 23:00
Modified
2024-08-06 15:20
Severity ?
EPSS score ?
Summary
Unspecified vulnerability in Apache Wicket 1.4.x before 1.4.23, 1.5.x before 1.5.11, and 6.x before 6.8.0 allows remote attackers to obtain sensitive information via vectors that cause raw HTML templates to be rendered without being processed and reading the information that is outside of wicket:panel markup.
References
| ▼ | URL | Tags |
|---|---|---|
| http://seclists.org/fulldisclosure/2014/Feb/38 | mailing-list, x_refsource_FULLDISC | |
| https://wicket.apache.org/2014/02/06/cve-2013-2055.html | x_refsource_CONFIRM | |
| http://osvdb.org/102955 | vdb-entry, x_refsource_OSVDB | |
| https://wicket.apache.org/2013/05/17/wicket-6.8.0-released.html | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/65431 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:20:37.447Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20140206 [CVE-2013-2055] Apache Wicket information disclosure vulnerability",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2014/Feb/38"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wicket.apache.org/2014/02/06/cve-2013-2055.html"
},
{
"name": "102955",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/102955"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wicket.apache.org/2013/05/17/wicket-6.8.0-released.html"
},
{
"name": "65431",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/65431"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-02-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in Apache Wicket 1.4.x before 1.4.23, 1.5.x before 1.5.11, and 6.x before 6.8.0 allows remote attackers to obtain sensitive information via vectors that cause raw HTML templates to be rendered without being processed and reading the information that is outside of wicket:panel markup."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-02-10T22:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "20140206 [CVE-2013-2055] Apache Wicket information disclosure vulnerability",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2014/Feb/38"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wicket.apache.org/2014/02/06/cve-2013-2055.html"
},
{
"name": "102955",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/102955"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wicket.apache.org/2013/05/17/wicket-6.8.0-released.html"
},
{
"name": "65431",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/65431"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-2055",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unspecified vulnerability in Apache Wicket 1.4.x before 1.4.23, 1.5.x before 1.5.11, and 6.x before 6.8.0 allows remote attackers to obtain sensitive information via vectors that cause raw HTML templates to be rendered without being processed and reading the information that is outside of wicket:panel markup."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20140206 [CVE-2013-2055] Apache Wicket information disclosure vulnerability",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2014/Feb/38"
},
{
"name": "https://wicket.apache.org/2014/02/06/cve-2013-2055.html",
"refsource": "CONFIRM",
"url": "https://wicket.apache.org/2014/02/06/cve-2013-2055.html"
},
{
"name": "102955",
"refsource": "OSVDB",
"url": "http://osvdb.org/102955"
},
{
"name": "https://wicket.apache.org/2013/05/17/wicket-6.8.0-released.html",
"refsource": "CONFIRM",
"url": "https://wicket.apache.org/2013/05/17/wicket-6.8.0-released.html"
},
{
"name": "65431",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/65431"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-2055",
"datePublished": "2014-02-10T23:00:00",
"dateReserved": "2013-02-19T00:00:00",
"dateUpdated": "2024-08-06T15:20:37.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2012-3373
Vulnerability from cvelistv5
Published
2012-09-19 19:00
Modified
2024-08-06 20:05
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.21 and 1.5.x before 1.5.8 allows remote attackers to inject arbitrary web script or HTML via vectors involving a %00 sequence in an Ajax link URL associated with a Wicket app.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/55445 | vdb-entry, x_refsource_BID | |
| http://secunia.com/advisories/50555 | third-party-advisory, x_refsource_SECUNIA | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/78321 | vdb-entry, x_refsource_XF | |
| http://wicket.apache.org/2012/09/06/cve-2012-3373.html | x_refsource_CONFIRM | |
| http://osvdb.org/85249 | vdb-entry, x_refsource_OSVDB | |
| http://www.securitytracker.com/id?1027508 | vdb-entry, x_refsource_SECTRACK |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:05:11.642Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "55445",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/55445"
},
{
"name": "50555",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/50555"
},
{
"name": "apache-wicket-unspecified-xss(78321)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78321"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://wicket.apache.org/2012/09/06/cve-2012-3373.html"
},
{
"name": "85249",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/85249"
},
{
"name": "1027508",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id?1027508"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-09-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.21 and 1.5.x before 1.5.8 allows remote attackers to inject arbitrary web script or HTML via vectors involving a %00 sequence in an Ajax link URL associated with a Wicket app."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "55445",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/55445"
},
{
"name": "50555",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/50555"
},
{
"name": "apache-wicket-unspecified-xss(78321)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78321"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://wicket.apache.org/2012/09/06/cve-2012-3373.html"
},
{
"name": "85249",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/85249"
},
{
"name": "1027508",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id?1027508"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-3373",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.21 and 1.5.x before 1.5.8 allows remote attackers to inject arbitrary web script or HTML via vectors involving a %00 sequence in an Ajax link URL associated with a Wicket app."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "55445",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/55445"
},
{
"name": "50555",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/50555"
},
{
"name": "apache-wicket-unspecified-xss(78321)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78321"
},
{
"name": "http://wicket.apache.org/2012/09/06/cve-2012-3373.html",
"refsource": "CONFIRM",
"url": "http://wicket.apache.org/2012/09/06/cve-2012-3373.html"
},
{
"name": "85249",
"refsource": "OSVDB",
"url": "http://osvdb.org/85249"
},
{
"name": "1027508",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id?1027508"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-3373",
"datePublished": "2012-09-19T19:00:00",
"dateReserved": "2012-06-14T00:00:00",
"dateUpdated": "2024-08-06T20:05:11.642Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-0043
Vulnerability from cvelistv5
Published
2017-10-02 13:00
Modified
2024-09-16 19:56
Severity ?
EPSS score ?
Summary
In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/d95e962f2f059a09f5abf7086c3f4ed22d2ae2c21499d0de95d4435d%401392986987%40%3Cannounce.wicket.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Wicket |
Version: 1.5.10 Version: 6.13.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:58:26.567Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[wicket-announce] 20140221 CVE-2014-0043",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/d95e962f2f059a09f5abf7086c3f4ed22d2ae2c21499d0de95d4435d%401392986987%40%3Cannounce.wicket.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Wicket",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.5.10"
},
{
"status": "affected",
"version": "6.13.0"
}
]
}
],
"datePublic": "2014-02-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-02T12:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[wicket-announce] 20140221 CVE-2014-0043",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/d95e962f2f059a09f5abf7086c3f4ed22d2ae2c21499d0de95d4435d%401392986987%40%3Cannounce.wicket.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2014-02-21T00:00:00",
"ID": "CVE-2014-0043",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Wicket",
"version": {
"version_data": [
{
"version_value": "1.5.10"
},
{
"version_value": "6.13.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[wicket-announce] 20140221 CVE-2014-0043",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/d95e962f2f059a09f5abf7086c3f4ed22d2ae2c21499d0de95d4435d@1392986987@%3Cannounce.wicket.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2014-0043",
"datePublished": "2017-10-02T13:00:00Z",
"dateReserved": "2013-12-03T00:00:00",
"dateUpdated": "2024-09-16T19:56:10.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-3526
Vulnerability from cvelistv5
Published
2017-10-30 14:00
Modified
2024-08-06 10:50
Severity ?
EPSS score ?
Summary
Apache Wicket before 1.5.12, 6.x before 6.17.0, and 7.x before 7.0.0-M3 might allow remote attackers to obtain sensitive information via vectors involving identifiers for storing page markup for temporary user sessions.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wicket.apache.org/news/2014/09/22/cve-2014-3526.html | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:50:16.801Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wicket.apache.org/news/2014/09/22/cve-2014-3526.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-09-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache Wicket before 1.5.12, 6.x before 6.17.0, and 7.x before 7.0.0-M3 might allow remote attackers to obtain sensitive information via vectors involving identifiers for storing page markup for temporary user sessions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-30T13:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wicket.apache.org/news/2014/09/22/cve-2014-3526.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-3526",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Wicket before 1.5.12, 6.x before 6.17.0, and 7.x before 7.0.0-M3 might allow remote attackers to obtain sensitive information via vectors involving identifiers for storing page markup for temporary user sessions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wicket.apache.org/news/2014/09/22/cve-2014-3526.html",
"refsource": "CONFIRM",
"url": "https://wicket.apache.org/news/2014/09/22/cve-2014-3526.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2014-3526",
"datePublished": "2017-10-30T14:00:00",
"dateReserved": "2014-05-14T00:00:00",
"dateUpdated": "2024-08-06T10:50:16.801Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-7520
Vulnerability from cvelistv5
Published
2016-04-12 17:00
Modified
2024-08-06 07:51
Severity ?
EPSS score ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in the (1) RadioGroup and (2) CheckBoxMultipleChoice classes in Apache Wicket 1.5.x before 1.5.15, 6.x before 6.22.0, and 7.x before 7.2.0 allow remote attackers to inject arbitrary web script or HTML via a crafted "value" attribute in a <input> element.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securitytracker.com/id/1035166 | vdb-entry, x_refsource_SECTRACK | |
| http://wicket.apache.org/news/2016/03/02/cve-2015-7520.html | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:51:28.374Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "1035166",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1035166"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://wicket.apache.org/news/2016/03/02/cve-2015-7520.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the (1) RadioGroup and (2) CheckBoxMultipleChoice classes in Apache Wicket 1.5.x before 1.5.15, 6.x before 6.22.0, and 7.x before 7.2.0 allow remote attackers to inject arbitrary web script or HTML via a crafted \"value\" attribute in a \u003cinput\u003e element."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-04-12T16:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "1035166",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1035166"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://wicket.apache.org/news/2016/03/02/cve-2015-7520.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-7520",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the (1) RadioGroup and (2) CheckBoxMultipleChoice classes in Apache Wicket 1.5.x before 1.5.15, 6.x before 6.22.0, and 7.x before 7.2.0 allow remote attackers to inject arbitrary web script or HTML via a crafted \"value\" attribute in a \u003cinput\u003e element."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "1035166",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1035166"
},
{
"name": "http://wicket.apache.org/news/2016/03/02/cve-2015-7520.html",
"refsource": "CONFIRM",
"url": "http://wicket.apache.org/news/2016/03/02/cve-2015-7520.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-7520",
"datePublished": "2016-04-12T17:00:00",
"dateReserved": "2015-09-29T00:00:00",
"dateUpdated": "2024-08-06T07:51:28.374Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-23937
Vulnerability from cvelistv5
Published
2021-05-25 08:05
Modified
2024-08-03 19:14
Severity ?
EPSS score ?
Summary
A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself. This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket 6.x version 6.2.0 and later versions.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Wicket |
Version: Apache Wicket 9.x < Version: Apache Wicket 8.x < Version: Apache Wicket 7.x < Version: 6.2.0 < Apache Wicket 6.x* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:14:09.890Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc2ef22f90793e158cef65a7e370cdbca023c499d1403d65feeca870d%40%3Cusers.wicket.apache.org%3E"
},
{
"name": "[wicket-announce] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e%40%3Cannounce.wicket.apache.org%3E"
},
{
"name": "[wicket-users] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e%40%3Cusers.wicket.apache.org%3E"
},
{
"name": "[wicket-dev] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8ccbd91b56ebf045d151bd4282bfeea7842a0698a0b76118fca8fe78%40%3Cdev.wicket.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Wicket",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "9.2.0",
"status": "affected",
"version": "Apache Wicket 9.x",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.11.0",
"status": "affected",
"version": "Apache Wicket 8.x",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.17.0",
"status": "affected",
"version": "Apache Wicket 7.x",
"versionType": "custom"
},
{
"lessThan": "Apache Wicket 6.x*",
"status": "affected",
"version": "6.2.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache Wicket would like to thank Jonathan Juursema from Topicus.Healthcare for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself. This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket 6.x version 6.2.0 and later versions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "DNS proxy and possible amplification attack",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-26T16:06:16",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rc2ef22f90793e158cef65a7e370cdbca023c499d1403d65feeca870d%40%3Cusers.wicket.apache.org%3E"
},
{
"name": "[wicket-announce] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e%40%3Cannounce.wicket.apache.org%3E"
},
{
"name": "[wicket-users] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e%40%3Cusers.wicket.apache.org%3E"
},
{
"name": "[wicket-dev] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r8ccbd91b56ebf045d151bd4282bfeea7842a0698a0b76118fca8fe78%40%3Cdev.wicket.apache.org%3E"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "DNS proxy and possible amplification attack",
"workarounds": [
{
"lang": "en",
"value": "Sanitize the X-Forwarded-For header by running an Apache Wicket application behind a reverse HTTP proxy. This proxy should put the client IP address in the X-Forwarded-For header and not pass through the contents of the header as received by the client."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-23937",
"STATE": "PUBLIC",
"TITLE": "DNS proxy and possible amplification attack"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Wicket",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache Wicket 9.x",
"version_value": "9.2.0"
},
{
"version_affected": "\u003c=",
"version_name": "Apache Wicket 8.x",
"version_value": "8.11.0"
},
{
"version_affected": "\u003c=",
"version_name": "Apache Wicket 7.x",
"version_value": "7.17.0"
},
{
"version_affected": "\u003e=",
"version_name": "Apache Wicket 6.x",
"version_value": "6.2.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache Wicket would like to thank Jonathan Juursema from Topicus.Healthcare for reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself. This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket 6.x version 6.2.0 and later versions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "DNS proxy and possible amplification attack"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/rc2ef22f90793e158cef65a7e370cdbca023c499d1403d65feeca870d%40%3Cusers.wicket.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rc2ef22f90793e158cef65a7e370cdbca023c499d1403d65feeca870d%40%3Cusers.wicket.apache.org%3E"
},
{
"name": "[wicket-announce] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e@%3Cannounce.wicket.apache.org%3E"
},
{
"name": "[wicket-users] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e@%3Cusers.wicket.apache.org%3E"
},
{
"name": "[wicket-dev] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r8ccbd91b56ebf045d151bd4282bfeea7842a0698a0b76118fca8fe78@%3Cdev.wicket.apache.org%3E"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Sanitize the X-Forwarded-For header by running an Apache Wicket application behind a reverse HTTP proxy. This proxy should put the client IP address in the X-Forwarded-For header and not pass through the contents of the header as received by the client."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-23937",
"datePublished": "2021-05-25T08:05:10",
"dateReserved": "2021-01-13T00:00:00",
"dateUpdated": "2024-08-03T19:14:09.890Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2012-1089
Vulnerability from cvelistv5
Published
2012-03-23 18:00
Modified
2024-08-06 18:45
Severity ?
EPSS score ?
Summary
Directory traversal vulnerability in Apache Wicket 1.4.x before 1.4.20 and 1.5.x before 1.5.5 allows remote attackers to read arbitrary web-application files via a relative pathname in a URL for a Wicket resource that corresponds to a null package.
References
| ▼ | URL | Tags |
|---|---|---|
| http://osvdb.org/80301 | vdb-entry, x_refsource_OSVDB | |
| http://www.securityfocus.com/bid/52679 | vdb-entry, x_refsource_BID | |
| http://wicket.apache.org/2012/03/22/wicket-cve-2012-1089.html | x_refsource_CONFIRM | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/74276 | vdb-entry, x_refsource_XF |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T18:45:27.315Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "80301",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/80301"
},
{
"name": "52679",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/52679"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://wicket.apache.org/2012/03/22/wicket-cve-2012-1089.html"
},
{
"name": "apache-wicket-dir-traversal(74276)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74276"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-03-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in Apache Wicket 1.4.x before 1.4.20 and 1.5.x before 1.5.5 allows remote attackers to read arbitrary web-application files via a relative pathname in a URL for a Wicket resource that corresponds to a null package."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-12T19:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "80301",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/80301"
},
{
"name": "52679",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/52679"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://wicket.apache.org/2012/03/22/wicket-cve-2012-1089.html"
},
{
"name": "apache-wicket-dir-traversal(74276)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74276"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-1089",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in Apache Wicket 1.4.x before 1.4.20 and 1.5.x before 1.5.5 allows remote attackers to read arbitrary web-application files via a relative pathname in a URL for a Wicket resource that corresponds to a null package."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "80301",
"refsource": "OSVDB",
"url": "http://osvdb.org/80301"
},
{
"name": "52679",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/52679"
},
{
"name": "http://wicket.apache.org/2012/03/22/wicket-cve-2012-1089.html",
"refsource": "CONFIRM",
"url": "http://wicket.apache.org/2012/03/22/wicket-cve-2012-1089.html"
},
{
"name": "apache-wicket-dir-traversal(74276)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74276"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-1089",
"datePublished": "2012-03-23T18:00:00",
"dateReserved": "2012-02-14T00:00:00",
"dateUpdated": "2024-08-06T18:45:27.315Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-6806
Vulnerability from cvelistv5
Published
2017-10-02 13:00
Modified
2024-09-16 20:57
Severity ?
EPSS score ?
Summary
Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was provided. Furthermore, not all Wicket server side targets were subjected to the CSRF check. This was also fixed.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/074b72585f4b7c6adda1af52aecbfe1be23c6d6f5bb9382270f059cd%40%3Cannounce.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Wicket |
Version: 6.20.0 Version: 6.21.0 Version: 6.22.0 Version: 6.23.0 Version: 6.24.0 Version: 7.0.0 Version: 7.1.0 Version: 7.2.0 Version: 7.3.0 Version: 7.4.0 Version: 8.0.0-M1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T01:43:37.801Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[wicket-announce] 20161108 CVE-2016-6806: Apache Wicket CSRF detection vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/074b72585f4b7c6adda1af52aecbfe1be23c6d6f5bb9382270f059cd%40%3Cannounce.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Wicket",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "6.20.0"
},
{
"status": "affected",
"version": "6.21.0"
},
{
"status": "affected",
"version": "6.22.0"
},
{
"status": "affected",
"version": "6.23.0"
},
{
"status": "affected",
"version": "6.24.0"
},
{
"status": "affected",
"version": "7.0.0"
},
{
"status": "affected",
"version": "7.1.0"
},
{
"status": "affected",
"version": "7.2.0"
},
{
"status": "affected",
"version": "7.3.0"
},
{
"status": "affected",
"version": "7.4.0"
},
{
"status": "affected",
"version": "8.0.0-M1"
}
]
}
],
"datePublic": "2016-11-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was provided. Furthermore, not all Wicket server side targets were subjected to the CSRF check. This was also fixed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF check fails",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-02T12:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[wicket-announce] 20161108 CVE-2016-6806: Apache Wicket CSRF detection vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/074b72585f4b7c6adda1af52aecbfe1be23c6d6f5bb9382270f059cd%40%3Cannounce.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2016-11-08T00:00:00",
"ID": "CVE-2016-6806",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Wicket",
"version": {
"version_data": [
{
"version_value": "6.20.0"
},
{
"version_value": "6.21.0"
},
{
"version_value": "6.22.0"
},
{
"version_value": "6.23.0"
},
{
"version_value": "6.24.0"
},
{
"version_value": "7.0.0"
},
{
"version_value": "7.1.0"
},
{
"version_value": "7.2.0"
},
{
"version_value": "7.3.0"
},
{
"version_value": "7.4.0"
},
{
"version_value": "8.0.0-M1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was provided. Furthermore, not all Wicket server side targets were subjected to the CSRF check. This was also fixed."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSRF check fails"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[wicket-announce] 20161108 CVE-2016-6806: Apache Wicket CSRF detection vulnerability",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/074b72585f4b7c6adda1af52aecbfe1be23c6d6f5bb9382270f059cd@%3Cannounce.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2016-6806",
"datePublished": "2017-10-02T13:00:00Z",
"dateReserved": "2016-08-12T00:00:00",
"dateUpdated": "2024-09-16T20:57:22.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-5347
Vulnerability from cvelistv5
Published
2016-04-12 17:00
Modified
2024-08-06 06:41
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the getWindowOpenJavaScript function in org.apache.wicket.extensions.ajax.markup.html.modal.ModalWindow in Apache Wicket 1.5.x before 1.5.15, 6.x before 6.22.0, and 7.x before 7.2.0 might allow remote attackers to inject arbitrary web script or HTML via a ModalWindow title.
References
| ▼ | URL | Tags |
|---|---|---|
| http://wicket.apache.org/news/2016/03/01/cve-2015-5347.html | x_refsource_CONFIRM | |
| https://issues.apache.org/jira/browse/WICKET-6037 | x_refsource_CONFIRM | |
| http://www.securitytracker.com/id/1035165 | vdb-entry, x_refsource_SECTRACK |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:41:09.356Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://wicket.apache.org/news/2016/03/01/cve-2015-5347.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.apache.org/jira/browse/WICKET-6037"
},
{
"name": "1035165",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1035165"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the getWindowOpenJavaScript function in org.apache.wicket.extensions.ajax.markup.html.modal.ModalWindow in Apache Wicket 1.5.x before 1.5.15, 6.x before 6.22.0, and 7.x before 7.2.0 might allow remote attackers to inject arbitrary web script or HTML via a ModalWindow title."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-04-12T16:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://wicket.apache.org/news/2016/03/01/cve-2015-5347.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.apache.org/jira/browse/WICKET-6037"
},
{
"name": "1035165",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1035165"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-5347",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the getWindowOpenJavaScript function in org.apache.wicket.extensions.ajax.markup.html.modal.ModalWindow in Apache Wicket 1.5.x before 1.5.15, 6.x before 6.22.0, and 7.x before 7.2.0 might allow remote attackers to inject arbitrary web script or HTML via a ModalWindow title."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://wicket.apache.org/news/2016/03/01/cve-2015-5347.html",
"refsource": "CONFIRM",
"url": "http://wicket.apache.org/news/2016/03/01/cve-2015-5347.html"
},
{
"name": "https://issues.apache.org/jira/browse/WICKET-6037",
"refsource": "CONFIRM",
"url": "https://issues.apache.org/jira/browse/WICKET-6037"
},
{
"name": "1035165",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1035165"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-5347",
"datePublished": "2016-04-12T17:00:00",
"dateReserved": "2015-07-01T00:00:00",
"dateUpdated": "2024-08-06T06:41:09.356Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-11976
Vulnerability from cvelistv5
Published
2020-08-11 18:15
Modified
2024-08-04 11:48
Severity ?
EPSS score ?
Summary
By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Apache Wicket |
Version: Apache Wicket 7.16.0, 8.8.0, 9.0.0-M5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:48:57.562Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r104eeefeb1e9da51f7ef79cef0f9ff12e21ef8559b77801e86b21e16%40%3Cusers.wicket.apache.org%3E"
},
{
"name": "[directory-commits] 20210513 [directory-fortress-commander] branch master updated: FC-293 - CVE-2020-11976 - upgrade wicket core -\u003e 8.9.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd0f36b83cc9f28b016ec552f023fb5a59a9ea8db56f2b9dcc6a2f6b7%40%3Ccommits.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210513 [jira] [Created] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r982c626dbce5c995223c4a6ddd7685de3592f8d65ba8372da1f3ce19%40%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210514 [jira] [Closed] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r05340178680eb6b9d4d40d56b5621dd4ae9715e6f41f12ae2288ec49%40%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Updated] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/reb7ea8141c713b5b19eaf34c00f43aaebf5a1c116130f763c42bdad1%40%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Resolved] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd26cae6e30b205e09e4b511d3d962d4f677c0c604f737997ce1b2f22%40%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Closed] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdec0a43afdca59c10416889e07267f3d2fdf4ab929a6e22a2659b6ff%40%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Reopened] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re4af65851bf69605cfb68be215eba36d4cdc1a90b95fbc894799d923%40%3Cdev.directory.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Wicket",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Apache Wicket 7.16.0, 8.8.0, 9.0.0-M5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-26T16:06:17",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r104eeefeb1e9da51f7ef79cef0f9ff12e21ef8559b77801e86b21e16%40%3Cusers.wicket.apache.org%3E"
},
{
"name": "[directory-commits] 20210513 [directory-fortress-commander] branch master updated: FC-293 - CVE-2020-11976 - upgrade wicket core -\u003e 8.9.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd0f36b83cc9f28b016ec552f023fb5a59a9ea8db56f2b9dcc6a2f6b7%40%3Ccommits.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210513 [jira] [Created] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r982c626dbce5c995223c4a6ddd7685de3592f8d65ba8372da1f3ce19%40%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210514 [jira] [Closed] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r05340178680eb6b9d4d40d56b5621dd4ae9715e6f41f12ae2288ec49%40%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Updated] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/reb7ea8141c713b5b19eaf34c00f43aaebf5a1c116130f763c42bdad1%40%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Resolved] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd26cae6e30b205e09e4b511d3d962d4f677c0c604f737997ce1b2f22%40%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Closed] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rdec0a43afdca59c10416889e07267f3d2fdf4ab929a6e22a2659b6ff%40%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Reopened] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re4af65851bf69605cfb68be215eba36d4cdc1a90b95fbc894799d923%40%3Cdev.directory.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-11976",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Wicket",
"version": {
"version_data": [
{
"version_value": "Apache Wicket 7.16.0, 8.8.0, 9.0.0-M5"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/r104eeefeb1e9da51f7ef79cef0f9ff12e21ef8559b77801e86b21e16%40%3Cusers.wicket.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r104eeefeb1e9da51f7ef79cef0f9ff12e21ef8559b77801e86b21e16%40%3Cusers.wicket.apache.org%3E"
},
{
"name": "[directory-commits] 20210513 [directory-fortress-commander] branch master updated: FC-293 - CVE-2020-11976 - upgrade wicket core -\u003e 8.9.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd0f36b83cc9f28b016ec552f023fb5a59a9ea8db56f2b9dcc6a2f6b7@%3Ccommits.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210513 [jira] [Created] (FC-293) [fortress-web] CVE-2020-11976",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r982c626dbce5c995223c4a6ddd7685de3592f8d65ba8372da1f3ce19@%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210514 [jira] [Closed] (FC-293) [fortress-web] CVE-2020-11976",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r05340178680eb6b9d4d40d56b5621dd4ae9715e6f41f12ae2288ec49@%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Updated] (FC-293) [fortress-web] CVE-2020-11976",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/reb7ea8141c713b5b19eaf34c00f43aaebf5a1c116130f763c42bdad1@%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Resolved] (FC-293) [fortress-web] CVE-2020-11976",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd26cae6e30b205e09e4b511d3d962d4f677c0c604f737997ce1b2f22@%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Closed] (FC-293) [fortress-web] CVE-2020-11976",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdec0a43afdca59c10416889e07267f3d2fdf4ab929a6e22a2659b6ff@%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Reopened] (FC-293) [fortress-web] CVE-2020-11976",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re4af65851bf69605cfb68be215eba36d4cdc1a90b95fbc894799d923@%3Cdev.directory.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-11976",
"datePublished": "2020-08-11T18:15:51",
"dateReserved": "2020-04-21T00:00:00",
"dateUpdated": "2024-08-04T11:48:57.562Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2012-09-19 19:55
Modified
2024-11-21 01:40
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.21 and 1.5.x before 1.5.8 allows remote attackers to inject arbitrary web script or HTML via vectors involving a %00 sequence in an Ajax link URL associated with a Wicket app.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | wicket | 1.4.0 | |
| apache | wicket | 1.4.1 | |
| apache | wicket | 1.4.2 | |
| apache | wicket | 1.4.3 | |
| apache | wicket | 1.4.4 | |
| apache | wicket | 1.4.5 | |
| apache | wicket | 1.4.6 | |
| apache | wicket | 1.4.7 | |
| apache | wicket | 1.4.8 | |
| apache | wicket | 1.4.9 | |
| apache | wicket | 1.4.10 | |
| apache | wicket | 1.4.11 | |
| apache | wicket | 1.4.12 | |
| apache | wicket | 1.4.13 | |
| apache | wicket | 1.4.14 | |
| apache | wicket | 1.4.15 | |
| apache | wicket | 1.4.16 | |
| apache | wicket | 1.4.17 | |
| apache | wicket | 1.4.18 | |
| apache | wicket | 1.4.19 | |
| apache | wicket | 1.4.20 | |
| apache | wicket | 1.5.0 | |
| apache | wicket | 1.5.1 | |
| apache | wicket | 1.5.2 | |
| apache | wicket | 1.5.3 | |
| apache | wicket | 1.5.4 | |
| apache | wicket | 1.5.5 | |
| apache | wicket | 1.5.6 | |
| apache | wicket | 1.5.7 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5DC8D24C-2501-4FA6-BAB9-F51D6CACEFC9",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "22992CF6-6E59-47CD-ACA6-87EEB0E48FDA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1676E4E8-B7C4-4107-A8BF-D70F14B7230C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3606F125-B3D9-4347-965F-AE632D861543",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "03D21845-F146-4DDD-B4AD-C2A587652BB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "31022C02-15EE-4BF9-A224-F3B0073E0AF8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D474779B-A497-402A-96FA-372DE208C2CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6169BE6B-AF63-4DDC-8EBF-06DB55A3E9C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "B4AFDECA-4622-4517-A105-3CC5A28E8E59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.9:*:*:*:*:*:*:*",
"matchCriteriaId": "5633A8F1-3293-46A9-85CF-132DF43FA2EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "2E0C154E-D85F-4D98-BC14-378DDEBEDE63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.11:*:*:*:*:*:*:*",
"matchCriteriaId": "E2363D36-C48D-47E4-8870-81FE4204511E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.12:*:*:*:*:*:*:*",
"matchCriteriaId": "504D3DC9-DDF2-4162-AA55-947FF510392F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.13:*:*:*:*:*:*:*",
"matchCriteriaId": "E8F77C3A-2FF3-4F2D-B399-6969DB900364",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.14:*:*:*:*:*:*:*",
"matchCriteriaId": "B4145A4C-D783-426A-A59A-812C50E44DCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.15:*:*:*:*:*:*:*",
"matchCriteriaId": "DF61708E-E966-4C82-AEF8-CF2E08F69D2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.16:*:*:*:*:*:*:*",
"matchCriteriaId": "0D2E15E2-56F3-4B41-B8CB-97A196C201FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.17:*:*:*:*:*:*:*",
"matchCriteriaId": "0E8962F1-2107-455D-8197-AE08B4097B72",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.18:*:*:*:*:*:*:*",
"matchCriteriaId": "395C7BE2-EE16-4659-9E18-4A6F348D2428",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.19:*:*:*:*:*:*:*",
"matchCriteriaId": "A08BD56A-1033-452E-929A-A922277963BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.20:*:*:*:*:*:*:*",
"matchCriteriaId": "A7663A85-1338-4DB4-87EE-527EE303381B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9A5F0F32-F5EF-4E9B-B832-115CC041BC6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "24AD7290-714C-48DB-88AF-EB83CEB7E879",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D2FF7823-F324-4428-A047-7A7B3C89E25A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "16816B8B-6E66-4F42-886C-FC44FC6108CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "46B33A86-0253-47E3-BC27-1AED5B8B3003",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7B46EBE4-D1C9-43FB-A9AD-249AD01BC38E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "98375403-4DF9-43B4-8601-7932EBE40526",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "BBBAA82C-F304-4488-97C2-B8C357465B2F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.21 and 1.5.x before 1.5.8 allows remote attackers to inject arbitrary web script or HTML via vectors involving a %00 sequence in an Ajax link URL associated with a Wicket app."
},
{
"lang": "es",
"value": "M\u00faltiples desbordamientos de b\u00fafer en FlashFXP.exe en FlashFXP v4.2 permiten a usuarios remotos autenticados ejecutar c\u00f3digo de su elecci\u00f3n a trav\u00e9s de una cadena demasiado larga de Unicode en (1) TListBox o (2) TComboBox.\r\n"
}
],
"id": "CVE-2012-3373",
"lastModified": "2024-11-21T01:40:44.027",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-09-19T19:55:05.327",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://osvdb.org/85249"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/50555"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://wicket.apache.org/2012/09/06/cve-2012-3373.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/55445"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id?1027508"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78321"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/85249"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/50555"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://wicket.apache.org/2012/09/06/cve-2012-3373.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/55445"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id?1027508"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78321"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-10-30 14:29
Modified
2024-11-21 02:08
Severity ?
Summary
Apache Wicket before 1.5.12, 6.x before 6.17.0, and 7.x before 7.0.0-M3 might allow remote attackers to obtain sensitive information via vectors involving identifiers for storing page markup for temporary user sessions.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://wicket.apache.org/news/2014/09/22/cve-2014-3526.html | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wicket.apache.org/news/2014/09/22/cve-2014-3526.html | Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | wicket | * | |
| apache | wicket | 6.0.0 | |
| apache | wicket | 6.0.0 | |
| apache | wicket | 6.0.0 | |
| apache | wicket | 6.0.0 | |
| apache | wicket | 6.1.0 | |
| apache | wicket | 6.1.1 | |
| apache | wicket | 6.2.0 | |
| apache | wicket | 6.3.0 | |
| apache | wicket | 6.4.0 | |
| apache | wicket | 6.5.0 | |
| apache | wicket | 6.6.0 | |
| apache | wicket | 6.7.0 | |
| apache | wicket | 6.8.0 | |
| apache | wicket | 6.9.0 | |
| apache | wicket | 6.9.1 | |
| apache | wicket | 6.10.0 | |
| apache | wicket | 6.11.0 | |
| apache | wicket | 6.12.0 | |
| apache | wicket | 6.13.0 | |
| apache | wicket | 6.14.0 | |
| apache | wicket | 6.15.0 | |
| apache | wicket | 6.16.0 | |
| apache | wicket | 7.0.0 | |
| apache | wicket | 7.0.0 | |
| apache | wicket | 7.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3DD671FB-9967-4ADA-8152-10DEA64F8BB7",
"versionEndExcluding": "1.5.12",
"versionStartIncluding": "1.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E8C2287A-F526-44C4-AD1D-0BE7857C1FC6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.0.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "BC22417A-E4B0-4512-8D96-210782855FFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "C594BC43-D6BE-41A8-A307-0166C3DE71A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "8F160D55-152E-4CA4-A506-E91079D94D10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FF725E92-BAB8-4A0D-925B-AD4F6065E1D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7C61C7A6-3233-4710-92B6-46562AF18479",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "330AA15C-8A05-4302-AD8A-54DE6015642F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "18F7EBAA-BE71-43C6-8F28-B23511B88402",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A9D513BF-CC50-4F96-8926-55081BF98EDA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4DCDA2F5-3C16-4093-81BD-EAB43A804419",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "ECE30441-B145-4860-AD95-DF20AB4D8DFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "710697FA-A859-4E66-B3A2-5A03AB21B1D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7C5A33E3-166A-41CE-8542-7AEEEC8DB42D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "94072681-D452-4068-813E-191F3306FDEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6B821243-5C36-4B54-8180-C88740B2D58F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "83F52DED-EC06-42F9-B851-7E99B0D74851",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "74E55244-D41E-48CB-BF65-67F5FE17A703",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7EFD25C8-EBEA-40D0-8D38-23770EA010AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.13.0:*:*:*:*:*:*:*",
"matchCriteriaId": "51C6F793-FC42-4189-ACB7-E4CC5BEFA7B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.14.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3EF63DDD-3909-495D-A7CF-514A19ED04DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.15.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F7396595-B40E-41CB-AAD8-6777A3FF5938",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.16.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4BB87904-83A0-42B6-A3B1-57F8A91847A8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "455D1DE8-2794-458C-AEBB-C957701E511D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:7.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "AADF9D31-21F8-45AD-8B85-86244D4529F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:7.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "B6A90E52-0EF7-4C84-814F-9D6EE832C535",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Wicket before 1.5.12, 6.x before 6.17.0, and 7.x before 7.0.0-M3 might allow remote attackers to obtain sensitive information via vectors involving identifiers for storing page markup for temporary user sessions."
},
{
"lang": "es",
"value": "Apache Wicket en versiones anteriores a la 1.5.12, las versiones 6.x anteriores a la 6.17.0 y las versiones 7.x anteriores a la 7.0.0-M3 podr\u00eda permitir que atacantes remotos obtengan informaci\u00f3n sensible mediante vectores relacionados con identificadores para almacenar etiquetas de p\u00e1gina para sesiones de usuario temporales."
}
],
"id": "CVE-2014-3526",
"lastModified": "2024-11-21T02:08:18.227",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-10-30T14:29:00.500",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://wicket.apache.org/news/2014/09/22/cve-2014-3526.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://wicket.apache.org/news/2014/09/22/cve-2014-3526.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-10-03 01:29
Modified
2024-11-21 02:56
Severity ?
Summary
Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was provided. Furthermore, not all Wicket server side targets were subjected to the CSRF check. This was also fixed.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:wicket:6.20.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CE39FD3D-CDA9-4D99-A366-B2EA4BACBEA5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.21.0:*:*:*:*:*:*:*",
"matchCriteriaId": "682D2CA1-2C60-435B-88A3-CF9FA0CD849F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.22.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D5A062A9-19FA-4C57-86EC-A947CF3694E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.23.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A4D4168A-48E4-4BEC-B005-6053C9DDD0AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.24.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E71E4459-6B11-4D2C-99C5-2D9242051CED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "455D1DE8-2794-458C-AEBB-C957701E511D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:7.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9EDBFF2B-1533-4C08-A0E1-48DB06BAB2F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:7.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B154816C-F671-4825-9D6C-CCA175FE5890",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:7.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5D304ABE-C7DB-4B2A-A33F-BC3AA39E4B3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:7.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "65E36EB8-C386-43CC-BCBE-9CEB34FC99A0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:8.0.0:m1:*:*:*:*:*:*",
"matchCriteriaId": "2C1FA122-ED49-40B7-93E5-06ADDFBAA84D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was provided. Furthermore, not all Wicket server side targets were subjected to the CSRF check. This was also fixed."
},
{
"lang": "es",
"value": "Apache Wicket en versiones 6.x anteriores a la 6.25.0, versiones 7.x anteriores a la 7.50 y en la versi\u00f3n 8.0.0-M1 proporciona una medida de prevenci\u00f3n de Cross-Site Request Forgery (CSRF) que no descubre determinadas peticiones de or\u00edgenes cruzados. La mitigaci\u00f3n no solo consiste en comprobar la cabecera HTTP Origin, sino que tambi\u00e9n tiene en cuenta la cabecera HTTP Referer cuando no se proporciona ninguna cabecera Origin. Adem\u00e1s, no todos los destinos del lado del servidor de Wicket se someten a chequeos de Cross-Site Request Forgery (CSRF). Esto tambi\u00e9n se ha solucionado."
}
],
"id": "CVE-2016-6806",
"lastModified": "2024-11-21T02:56:52.007",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-10-03T01:29:00.967",
"references": [
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/074b72585f4b7c6adda1af52aecbfe1be23c6d6f5bb9382270f059cd%40%3Cannounce.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/074b72585f4b7c6adda1af52aecbfe1be23c6d6f5bb9382270f059cd%40%3Cannounce.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-04-12 17:59
Modified
2024-11-21 02:32
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the getWindowOpenJavaScript function in org.apache.wicket.extensions.ajax.markup.html.modal.ModalWindow in Apache Wicket 1.5.x before 1.5.15, 6.x before 6.22.0, and 7.x before 7.2.0 might allow remote attackers to inject arbitrary web script or HTML via a ModalWindow title.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://wicket.apache.org/news/2016/03/01/cve-2015-5347.html | Vendor Advisory | |
| secalert@redhat.com | http://www.securitytracker.com/id/1035165 | Third Party Advisory, VDB Entry | |
| secalert@redhat.com | https://issues.apache.org/jira/browse/WICKET-6037 | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://wicket.apache.org/news/2016/03/01/cve-2015-5347.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securitytracker.com/id/1035165 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.apache.org/jira/browse/WICKET-6037 | Exploit, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0D81734E-4BD5-45D5-80AD-B6411A070A24",
"versionEndExcluding": "1.5.15",
"versionStartIncluding": "1.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BC5AB86D-30D8-431A-AF00-496C5E5248ED",
"versionEndExcluding": "6.22.0",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF392957-7CBF-45C3-A6D1-21B193B608DE",
"versionEndExcluding": "7.2.0",
"versionStartIncluding": "7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the getWindowOpenJavaScript function in org.apache.wicket.extensions.ajax.markup.html.modal.ModalWindow in Apache Wicket 1.5.x before 1.5.15, 6.x before 6.22.0, and 7.x before 7.2.0 might allow remote attackers to inject arbitrary web script or HTML via a ModalWindow title."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en la funci\u00f3n getWindowOpenJavaScript en org.apache.wicket.extensions.ajax.markup.html.modal.ModalWindow en Apache Wicket 1.5.x en versiones anteriores a 1.5.15, 6.x en versiones anteriores a 6.22.0 y 7.x en versiones anteriores a 7.2.0 podr\u00eda permitir a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de un t\u00edtulo ModalWindow."
}
],
"id": "CVE-2015-5347",
"lastModified": "2024-11-21T02:32:50.473",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-04-12T17:59:00.153",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://wicket.apache.org/news/2016/03/01/cve-2015-5347.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1035165"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://issues.apache.org/jira/browse/WICKET-6037"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://wicket.apache.org/news/2016/03/01/cve-2015-5347.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1035165"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://issues.apache.org/jira/browse/WICKET-6037"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-10-30 19:29
Modified
2024-11-21 01:45
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.22, 1.5.x before 1.5.10, and 6.x before 6.4.0 might allow remote attackers to inject arbitrary web script or HTML via vectors related to <script> tags in a rendered response.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://www.securityfocus.com/bid/101644 | Third Party Advisory, VDB Entry | |
| secalert@redhat.com | https://wicket.apache.org/news/2013/03/03/cve-2012-5636.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/101644 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wicket.apache.org/news/2013/03/03/cve-2012-5636.html | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | wicket | 1.4.0 | |
| apache | wicket | 1.4.1 | |
| apache | wicket | 1.4.2 | |
| apache | wicket | 1.4.3 | |
| apache | wicket | 1.4.4 | |
| apache | wicket | 1.4.5 | |
| apache | wicket | 1.4.6 | |
| apache | wicket | 1.4.7 | |
| apache | wicket | 1.4.8 | |
| apache | wicket | 1.4.9 | |
| apache | wicket | 1.4.10 | |
| apache | wicket | 1.4.11 | |
| apache | wicket | 1.4.12 | |
| apache | wicket | 1.4.13 | |
| apache | wicket | 1.4.14 | |
| apache | wicket | 1.4.15 | |
| apache | wicket | 1.4.16 | |
| apache | wicket | 1.4.17 | |
| apache | wicket | 1.4.18 | |
| apache | wicket | 1.4.19 | |
| apache | wicket | 1.4.20 | |
| apache | wicket | 1.4.21 | |
| apache | wicket | 1.5.0 | |
| apache | wicket | 1.5.1 | |
| apache | wicket | 1.5.2 | |
| apache | wicket | 1.5.3 | |
| apache | wicket | 1.5.4 | |
| apache | wicket | 1.5.5 | |
| apache | wicket | 1.5.6 | |
| apache | wicket | 1.5.7 | |
| apache | wicket | 1.5.8 | |
| apache | wicket | 1.5.9 | |
| apache | wicket | 6.0.0 | |
| apache | wicket | 6.1.0 | |
| apache | wicket | 6.1.1 | |
| apache | wicket | 6.2.0 | |
| apache | wicket | 6.3.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5DC8D24C-2501-4FA6-BAB9-F51D6CACEFC9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "22992CF6-6E59-47CD-ACA6-87EEB0E48FDA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1676E4E8-B7C4-4107-A8BF-D70F14B7230C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3606F125-B3D9-4347-965F-AE632D861543",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "03D21845-F146-4DDD-B4AD-C2A587652BB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "31022C02-15EE-4BF9-A224-F3B0073E0AF8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D474779B-A497-402A-96FA-372DE208C2CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6169BE6B-AF63-4DDC-8EBF-06DB55A3E9C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "B4AFDECA-4622-4517-A105-3CC5A28E8E59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.9:*:*:*:*:*:*:*",
"matchCriteriaId": "5633A8F1-3293-46A9-85CF-132DF43FA2EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "2E0C154E-D85F-4D98-BC14-378DDEBEDE63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.11:*:*:*:*:*:*:*",
"matchCriteriaId": "E2363D36-C48D-47E4-8870-81FE4204511E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.12:*:*:*:*:*:*:*",
"matchCriteriaId": "504D3DC9-DDF2-4162-AA55-947FF510392F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.13:*:*:*:*:*:*:*",
"matchCriteriaId": "E8F77C3A-2FF3-4F2D-B399-6969DB900364",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.14:*:*:*:*:*:*:*",
"matchCriteriaId": "B4145A4C-D783-426A-A59A-812C50E44DCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.15:*:*:*:*:*:*:*",
"matchCriteriaId": "DF61708E-E966-4C82-AEF8-CF2E08F69D2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.16:*:*:*:*:*:*:*",
"matchCriteriaId": "0D2E15E2-56F3-4B41-B8CB-97A196C201FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.17:*:*:*:*:*:*:*",
"matchCriteriaId": "0E8962F1-2107-455D-8197-AE08B4097B72",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.18:*:*:*:*:*:*:*",
"matchCriteriaId": "395C7BE2-EE16-4659-9E18-4A6F348D2428",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.19:*:*:*:*:*:*:*",
"matchCriteriaId": "A08BD56A-1033-452E-929A-A922277963BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.20:*:*:*:*:*:*:*",
"matchCriteriaId": "A7663A85-1338-4DB4-87EE-527EE303381B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.21:*:*:*:*:*:*:*",
"matchCriteriaId": "03FFA363-D9C0-4806-9DA9-2110CD10A5A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9A5F0F32-F5EF-4E9B-B832-115CC041BC6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "24AD7290-714C-48DB-88AF-EB83CEB7E879",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D2FF7823-F324-4428-A047-7A7B3C89E25A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "16816B8B-6E66-4F42-886C-FC44FC6108CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "46B33A86-0253-47E3-BC27-1AED5B8B3003",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7B46EBE4-D1C9-43FB-A9AD-249AD01BC38E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "98375403-4DF9-43B4-8601-7932EBE40526",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "BBBAA82C-F304-4488-97C2-B8C357465B2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "FDEBB9A4-38B8-4B67-9F0D-D28796B88009",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "FBC9D7ED-9785-40C2-B3C8-141FD2CE3C26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E8C2287A-F526-44C4-AD1D-0BE7857C1FC6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FF725E92-BAB8-4A0D-925B-AD4F6065E1D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7C61C7A6-3233-4710-92B6-46562AF18479",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "330AA15C-8A05-4302-AD8A-54DE6015642F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "18F7EBAA-BE71-43C6-8F28-B23511B88402",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.22, 1.5.x before 1.5.10, and 6.x before 6.4.0 might allow remote attackers to inject arbitrary web script or HTML via vectors related to \u003cscript\u003e tags in a rendered response."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Cross-Site Scripting (XSS) en Apache Wicket en versiones 1.4.x anteriores a la 1.4.22, versiones 1.5.x anteriores a la 1.5.10 y las versiones 6.x anteriores a la 6.4.0 podr\u00eda permitir que atacantes remotos inyecten scripts web o HTML arbitrarios mediante vectores relacionados con las etiquetas"
}
],
"id": "CVE-2012-5636",
"lastModified": "2024-11-21T01:45:01.050",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-10-30T19:29:00.247",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/101644"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://wicket.apache.org/news/2013/03/03/cve-2012-5636.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/101644"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://wicket.apache.org/news/2013/03/03/cve-2012-5636.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-08-29 15:55
Modified
2024-11-21 01:28
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.18, when setAutomaticMultiWindowSupport is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | wicket | 1.4.0 | |
| apache | wicket | 1.4.1 | |
| apache | wicket | 1.4.2 | |
| apache | wicket | 1.4.3 | |
| apache | wicket | 1.4.4 | |
| apache | wicket | 1.4.5 | |
| apache | wicket | 1.4.6 | |
| apache | wicket | 1.4.7 | |
| apache | wicket | 1.4.8 | |
| apache | wicket | 1.4.9 | |
| apache | wicket | 1.4.10 | |
| apache | wicket | 1.4.11 | |
| apache | wicket | 1.4.12 | |
| apache | wicket | 1.4.13 | |
| apache | wicket | 1.4.14 | |
| apache | wicket | 1.4.15 | |
| apache | wicket | 1.4.16 | |
| apache | wicket | 1.4.17 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5DC8D24C-2501-4FA6-BAB9-F51D6CACEFC9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "22992CF6-6E59-47CD-ACA6-87EEB0E48FDA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1676E4E8-B7C4-4107-A8BF-D70F14B7230C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3606F125-B3D9-4347-965F-AE632D861543",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "03D21845-F146-4DDD-B4AD-C2A587652BB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "31022C02-15EE-4BF9-A224-F3B0073E0AF8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D474779B-A497-402A-96FA-372DE208C2CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6169BE6B-AF63-4DDC-8EBF-06DB55A3E9C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "B4AFDECA-4622-4517-A105-3CC5A28E8E59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.9:*:*:*:*:*:*:*",
"matchCriteriaId": "5633A8F1-3293-46A9-85CF-132DF43FA2EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "2E0C154E-D85F-4D98-BC14-378DDEBEDE63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.11:*:*:*:*:*:*:*",
"matchCriteriaId": "E2363D36-C48D-47E4-8870-81FE4204511E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.12:*:*:*:*:*:*:*",
"matchCriteriaId": "504D3DC9-DDF2-4162-AA55-947FF510392F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.13:*:*:*:*:*:*:*",
"matchCriteriaId": "E8F77C3A-2FF3-4F2D-B399-6969DB900364",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.14:*:*:*:*:*:*:*",
"matchCriteriaId": "B4145A4C-D783-426A-A59A-812C50E44DCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.15:*:*:*:*:*:*:*",
"matchCriteriaId": "DF61708E-E966-4C82-AEF8-CF2E08F69D2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.16:*:*:*:*:*:*:*",
"matchCriteriaId": "0D2E15E2-56F3-4B41-B8CB-97A196C201FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.17:*:*:*:*:*:*:*",
"matchCriteriaId": "0E8962F1-2107-455D-8197-AE08B4097B72",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.18, when setAutomaticMultiWindowSupport is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified parameters."
},
{
"lang": "es",
"value": "Vulnerabilidad de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en Apache Wicket v1.4.x antes de v1.4.18, cuando setAutomaticMultiWindowSupport est\u00e1 habilitado, permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s de par\u00e1metros no especificados."
}
],
"id": "CVE-2011-2712",
"lastModified": "2024-11-21T01:28:48.790",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 4.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-08-29T15:55:01.440",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/45727"
},
{
"source": "secalert@redhat.com",
"url": "http://securityreason.com/securityalert/8357"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://wicket.apache.org/2011/08/23/cve-2011-2712.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/519398/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/49290"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id?1025976"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/69394"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/45727"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/8357"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://wicket.apache.org/2011/08/23/cve-2011-2712.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/519398/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/49290"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id?1025976"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/69394"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-04-12 17:59
Modified
2024-11-21 02:36
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in the (1) RadioGroup and (2) CheckBoxMultipleChoice classes in Apache Wicket 1.5.x before 1.5.15, 6.x before 6.22.0, and 7.x before 7.2.0 allow remote attackers to inject arbitrary web script or HTML via a crafted "value" attribute in a <input> element.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://wicket.apache.org/news/2016/03/02/cve-2015-7520.html | Vendor Advisory | |
| secalert@redhat.com | http://www.securitytracker.com/id/1035166 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://wicket.apache.org/news/2016/03/02/cve-2015-7520.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securitytracker.com/id/1035166 | Third Party Advisory, VDB Entry |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0D81734E-4BD5-45D5-80AD-B6411A070A24",
"versionEndExcluding": "1.5.15",
"versionStartIncluding": "1.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BC5AB86D-30D8-431A-AF00-496C5E5248ED",
"versionEndExcluding": "6.22.0",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AB23C89B-AFA2-4556-B0C0-2D12ED25E6D7",
"versionEndExcluding": "7.2.0",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the (1) RadioGroup and (2) CheckBoxMultipleChoice classes in Apache Wicket 1.5.x before 1.5.15, 6.x before 6.22.0, and 7.x before 7.2.0 allow remote attackers to inject arbitrary web script or HTML via a crafted \"value\" attribute in a \u003cinput\u003e element."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de XSS en las clases (1) RadioGroup y (2) CheckBoxMultipleChoice en Apache Wicket 1.5.x en versiones anteriores a 1.5.15, 6.x en versiones anteriores a 6.22.0 y 7.x en versiones anteriores a 7.2.0 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de un atributo \"valor\" manipulado en un elemento ."
}
],
"id": "CVE-2015-7520",
"lastModified": "2024-11-21T02:36:55.433",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-04-12T17:59:01.217",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://wicket.apache.org/news/2016/03/02/cve-2015-7520.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1035166"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://wicket.apache.org/news/2016/03/02/cve-2015-7520.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1035166"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-02-10 23:55
Modified
2024-11-21 01:50
Severity ?
Summary
Unspecified vulnerability in Apache Wicket 1.4.x before 1.4.23, 1.5.x before 1.5.11, and 6.x before 6.8.0 allows remote attackers to obtain sensitive information via vectors that cause raw HTML templates to be rendered without being processed and reading the information that is outside of wicket:panel markup.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | wicket | 1.4.0 | |
| apache | wicket | 1.4.1 | |
| apache | wicket | 1.4.10 | |
| apache | wicket | 1.4.11 | |
| apache | wicket | 1.4.12 | |
| apache | wicket | 1.4.13 | |
| apache | wicket | 1.4.14 | |
| apache | wicket | 1.4.15 | |
| apache | wicket | 1.4.16 | |
| apache | wicket | 1.4.17 | |
| apache | wicket | 1.4.18 | |
| apache | wicket | 1.4.19 | |
| apache | wicket | 1.4.20 | |
| apache | wicket | 1.4.21 | |
| apache | wicket | 1.4.22 | |
| apache | wicket | 1.5.0 | |
| apache | wicket | 1.5.1 | |
| apache | wicket | 1.5.2 | |
| apache | wicket | 1.5.3 | |
| apache | wicket | 1.5.4 | |
| apache | wicket | 1.5.5 | |
| apache | wicket | 1.5.6 | |
| apache | wicket | 1.5.7 | |
| apache | wicket | 1.5.8 | |
| apache | wicket | 1.5.9 | |
| apache | wicket | 1.5.10 | |
| apache | wicket | 6.1.0 | |
| apache | wicket | 6.1.1 | |
| apache | wicket | 6.2.0 | |
| apache | wicket | 6.3.0 | |
| apache | wicket | 6.4.0 | |
| apache | wicket | 6.5.0 | |
| apache | wicket | 6.6.0 | |
| apache | wicket | 6.7.0 | |
| apache | wicket | 6.8.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5DC8D24C-2501-4FA6-BAB9-F51D6CACEFC9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "22992CF6-6E59-47CD-ACA6-87EEB0E48FDA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "2E0C154E-D85F-4D98-BC14-378DDEBEDE63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.11:*:*:*:*:*:*:*",
"matchCriteriaId": "E2363D36-C48D-47E4-8870-81FE4204511E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.12:*:*:*:*:*:*:*",
"matchCriteriaId": "504D3DC9-DDF2-4162-AA55-947FF510392F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.13:*:*:*:*:*:*:*",
"matchCriteriaId": "E8F77C3A-2FF3-4F2D-B399-6969DB900364",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.14:*:*:*:*:*:*:*",
"matchCriteriaId": "B4145A4C-D783-426A-A59A-812C50E44DCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.15:*:*:*:*:*:*:*",
"matchCriteriaId": "DF61708E-E966-4C82-AEF8-CF2E08F69D2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.16:*:*:*:*:*:*:*",
"matchCriteriaId": "0D2E15E2-56F3-4B41-B8CB-97A196C201FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.17:*:*:*:*:*:*:*",
"matchCriteriaId": "0E8962F1-2107-455D-8197-AE08B4097B72",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.18:*:*:*:*:*:*:*",
"matchCriteriaId": "395C7BE2-EE16-4659-9E18-4A6F348D2428",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.19:*:*:*:*:*:*:*",
"matchCriteriaId": "A08BD56A-1033-452E-929A-A922277963BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.20:*:*:*:*:*:*:*",
"matchCriteriaId": "A7663A85-1338-4DB4-87EE-527EE303381B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.21:*:*:*:*:*:*:*",
"matchCriteriaId": "03FFA363-D9C0-4806-9DA9-2110CD10A5A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.22:*:*:*:*:*:*:*",
"matchCriteriaId": "4A7D13F9-FFF0-4E49-9DB5-9B6E2B0122A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9A5F0F32-F5EF-4E9B-B832-115CC041BC6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "24AD7290-714C-48DB-88AF-EB83CEB7E879",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D2FF7823-F324-4428-A047-7A7B3C89E25A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "16816B8B-6E66-4F42-886C-FC44FC6108CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "46B33A86-0253-47E3-BC27-1AED5B8B3003",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7B46EBE4-D1C9-43FB-A9AD-249AD01BC38E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "98375403-4DF9-43B4-8601-7932EBE40526",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "BBBAA82C-F304-4488-97C2-B8C357465B2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "FDEBB9A4-38B8-4B67-9F0D-D28796B88009",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "FBC9D7ED-9785-40C2-B3C8-141FD2CE3C26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.10:*:*:*:*:*:*:*",
"matchCriteriaId": "E58A9F81-EB16-4DAA-955F-149229B3E1B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FF725E92-BAB8-4A0D-925B-AD4F6065E1D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7C61C7A6-3233-4710-92B6-46562AF18479",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "330AA15C-8A05-4302-AD8A-54DE6015642F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "18F7EBAA-BE71-43C6-8F28-B23511B88402",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A9D513BF-CC50-4F96-8926-55081BF98EDA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4DCDA2F5-3C16-4093-81BD-EAB43A804419",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "ECE30441-B145-4860-AD95-DF20AB4D8DFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "710697FA-A859-4E66-B3A2-5A03AB21B1D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7C5A33E3-166A-41CE-8542-7AEEEC8DB42D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in Apache Wicket 1.4.x before 1.4.23, 1.5.x before 1.5.11, and 6.x before 6.8.0 allows remote attackers to obtain sensitive information via vectors that cause raw HTML templates to be rendered without being processed and reading the information that is outside of wicket:panel markup."
},
{
"lang": "es",
"value": "Vulnerabilidad no especificada en Apache Wicket 1.4.x anterior a 1.4.23, 1.5.x anterior a 1.5.11 y 6.x anterior a 6.8.0 permite a atacantes remotos obtener informaci\u00f3n sensible a trav\u00e9s de vectores que causan la renderizaci\u00f3n de plantillas HTML en bruto sin ser procesado y sin leer la informaci\u00f3n encontrada fuera del marcado wicket:panel."
}
],
"id": "CVE-2013-2055",
"lastModified": "2024-11-21T01:50:56.683",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-02-10T23:55:04.933",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://osvdb.org/102955"
},
{
"source": "secalert@redhat.com",
"url": "http://seclists.org/fulldisclosure/2014/Feb/38"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/65431"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://wicket.apache.org/2013/05/17/wicket-6.8.0-released.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://wicket.apache.org/2014/02/06/cve-2013-2055.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/102955"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2014/Feb/38"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/65431"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://wicket.apache.org/2013/05/17/wicket-6.8.0-released.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://wicket.apache.org/2014/02/06/cve-2013-2055.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-09-15 20:29
Modified
2024-11-21 02:18
Severity ?
Summary
Apache Wicket before 1.5.13, 6.x before 6.19.0, and 7.x before 7.0.0-M5 make it easier for attackers to defeat a cryptographic protection mechanism and predict encrypted URLs by leveraging use of CryptoMapper as the default encryption provider.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9AE2A0CF-ADE9-4708-B3E8-2FD5DC7E5FF5",
"versionEndExcluding": "1.5.13",
"versionStartIncluding": "1.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F935C3AF-B4F6-48BA-879F-C916CA6C2D0E",
"versionEndExcluding": "6.19.0",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:7.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "AADF9D31-21F8-45AD-8B85-86244D4529F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:7.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "B6A90E52-0EF7-4C84-814F-9D6EE832C535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:7.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "4BC0D445-E39E-472B-8CB9-F363517064CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:7.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "F973CD8F-987E-4772-BF35-90076F403796",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:7.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "ED3DF7AF-FA68-4DEF-B098-B96510E9ED06",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Wicket before 1.5.13, 6.x before 6.19.0, and 7.x before 7.0.0-M5 make it easier for attackers to defeat a cryptographic protection mechanism and predict encrypted URLs by leveraging use of CryptoMapper as the default encryption provider."
},
{
"lang": "es",
"value": "Apache Wicket en versiones anteriores a la 1.5.13, 6.x anteriores a la 6.19.0 y 7.x anteriores a la 7.0.0-M5 facilita que los atacantes superen el mecanismo de protecci\u00f3n criptogr\u00e1fica y predigan URL cifradas aprovechando el uso de CryptoMapper como proveedor por defecto de cifrado."
}
],
"id": "CVE-2014-7808",
"lastModified": "2024-11-21T02:18:02.937",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-09-15T20:29:00.193",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://mail-archives.apache.org/mod_mbox/wicket-users/201502.mbox/%3CCAMomwMpLPDYezc=iFofm1R1Uq37vUFJ8VC-_ex5SU8-HAKBoRw%40mail.gmail.com%3E"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.smrrd.de/cve-2014-7808-apache-wicket-csrf-2014.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://mail-archives.apache.org/mod_mbox/wicket-users/201502.mbox/%3CCAMomwMpLPDYezc=iFofm1R1Uq37vUFJ8VC-_ex5SU8-HAKBoRw%40mail.gmail.com%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.smrrd.de/cve-2014-7808-apache-wicket-csrf-2014.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-310"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-10-03 01:29
Modified
2024-11-21 02:01
Severity ?
Summary
In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.10:*:*:*:*:*:*:*",
"matchCriteriaId": "E58A9F81-EB16-4DAA-955F-149229B3E1B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.13.0:*:*:*:*:*:*:*",
"matchCriteriaId": "51C6F793-FC42-4189-ACB7-E4CC5BEFA7B2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use."
},
{
"lang": "es",
"value": "En Apache Wicket 1 5 10 o 6 13 0, al enviar peticiones a URL especiales manejadas por Wicket, es posible comprobar la existencia de clases espec\u00edficas en el classpath y por lo tanto se puede comprobar si hay alguna librer\u00eda externa con alguna vulnerabilida d conocida en uso"
}
],
"id": "CVE-2014-0043",
"lastModified": "2024-11-21T02:01:14.283",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-10-03T01:29:00.327",
"references": [
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/d95e962f2f059a09f5abf7086c3f4ed22d2ae2c21499d0de95d4435d%401392986987%40%3Cannounce.wicket.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/d95e962f2f059a09f5abf7086c3f4ed22d2ae2c21499d0de95d4435d%401392986987%40%3Cannounce.wicket.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-25 17:15
Modified
2024-11-21 05:52
Severity ?
Summary
A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself. This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket 6.x version 6.2.0 and later versions.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3D5643CD-3063-4900-9EB7-86470C8C1384",
"versionEndIncluding": "6.2.0",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7793CFFA-F876-4DD4-8E2F-C34FBB79FC47",
"versionEndIncluding": "7.17.0",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "02FE0D40-F64F-4EDA-B650-9AB6A13F5190",
"versionEndIncluding": "8.11.0",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A4009313-BE49-4B49-A890-59FDE9D9E0C1",
"versionEndIncluding": "9.2.0",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself. This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket 6.x version 6.2.0 and later versions."
},
{
"lang": "es",
"value": "Un proxy DNS y una posible vulnerabilidad de ataque de amplificaci\u00f3n en WebClientInfo de Apache Wicket permiten que un atacante active b\u00fasquedas de DNS arbitrarias desde el servidor cuando el encabezado X-Fordered-For no se sanea correctamente.\u0026#xa0;Esta b\u00fasqueda de DNS puede ser dise\u00f1ada para sobrecargar un servidor DNS interno o para ralentizar el procesamiento de peticiones de la aplicaci\u00f3n Apache Wicket, lo que provoca una posible Denegaci\u00f3n de Servicio en la infraestructura interna o en la propia aplicaci\u00f3n web.\u0026#xa0;Este problema afecta a Apache Wicket Apache Wicket 9.x versiones 9.2.0 y anteriores;\u0026#xa0;Apache Wicket 8.x versiones 8.11.0 y anteriores;\u0026#xa0;Apache Wicket 7.x versiones 7.17.0 y anteriores y Apache Wicket 6.x versiones 6.2.0 y posteriores"
}
],
"id": "CVE-2021-23937",
"lastModified": "2024-11-21T05:52:05.323",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-25T17:15:08.187",
"references": [
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e%40%3Cannounce.wicket.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e%40%3Cusers.wicket.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r8ccbd91b56ebf045d151bd4282bfeea7842a0698a0b76118fca8fe78%40%3Cdev.wicket.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Release Notes",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/rc2ef22f90793e158cef65a7e370cdbca023c499d1403d65feeca870d%40%3Cusers.wicket.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e%40%3Cannounce.wicket.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e%40%3Cusers.wicket.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r8ccbd91b56ebf045d151bd4282bfeea7842a0698a0b76118fca8fe78%40%3Cdev.wicket.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Release Notes",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/rc2ef22f90793e158cef65a7e370cdbca023c499d1403d65feeca870d%40%3Cusers.wicket.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-03-23 18:55
Modified
2024-11-21 01:36
Severity ?
Summary
Directory traversal vulnerability in Apache Wicket 1.4.x before 1.4.20 and 1.5.x before 1.5.5 allows remote attackers to read arbitrary web-application files via a relative pathname in a URL for a Wicket resource that corresponds to a null package.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | wicket | 1.4.0 | |
| apache | wicket | 1.4.1 | |
| apache | wicket | 1.4.2 | |
| apache | wicket | 1.4.3 | |
| apache | wicket | 1.4.4 | |
| apache | wicket | 1.4.5 | |
| apache | wicket | 1.4.6 | |
| apache | wicket | 1.4.7 | |
| apache | wicket | 1.4.8 | |
| apache | wicket | 1.4.9 | |
| apache | wicket | 1.4.10 | |
| apache | wicket | 1.4.11 | |
| apache | wicket | 1.4.12 | |
| apache | wicket | 1.4.13 | |
| apache | wicket | 1.4.14 | |
| apache | wicket | 1.4.15 | |
| apache | wicket | 1.4.16 | |
| apache | wicket | 1.4.17 | |
| apache | wicket | 1.4.18 | |
| apache | wicket | 1.4.19 | |
| apache | wicket | 1.5.0 | |
| apache | wicket | 1.5.1 | |
| apache | wicket | 1.5.2 | |
| apache | wicket | 1.5.3 | |
| apache | wicket | 1.5.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5DC8D24C-2501-4FA6-BAB9-F51D6CACEFC9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "22992CF6-6E59-47CD-ACA6-87EEB0E48FDA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1676E4E8-B7C4-4107-A8BF-D70F14B7230C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3606F125-B3D9-4347-965F-AE632D861543",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "03D21845-F146-4DDD-B4AD-C2A587652BB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "31022C02-15EE-4BF9-A224-F3B0073E0AF8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D474779B-A497-402A-96FA-372DE208C2CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6169BE6B-AF63-4DDC-8EBF-06DB55A3E9C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "B4AFDECA-4622-4517-A105-3CC5A28E8E59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.9:*:*:*:*:*:*:*",
"matchCriteriaId": "5633A8F1-3293-46A9-85CF-132DF43FA2EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "2E0C154E-D85F-4D98-BC14-378DDEBEDE63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.11:*:*:*:*:*:*:*",
"matchCriteriaId": "E2363D36-C48D-47E4-8870-81FE4204511E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.12:*:*:*:*:*:*:*",
"matchCriteriaId": "504D3DC9-DDF2-4162-AA55-947FF510392F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.13:*:*:*:*:*:*:*",
"matchCriteriaId": "E8F77C3A-2FF3-4F2D-B399-6969DB900364",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.14:*:*:*:*:*:*:*",
"matchCriteriaId": "B4145A4C-D783-426A-A59A-812C50E44DCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.15:*:*:*:*:*:*:*",
"matchCriteriaId": "DF61708E-E966-4C82-AEF8-CF2E08F69D2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.16:*:*:*:*:*:*:*",
"matchCriteriaId": "0D2E15E2-56F3-4B41-B8CB-97A196C201FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.17:*:*:*:*:*:*:*",
"matchCriteriaId": "0E8962F1-2107-455D-8197-AE08B4097B72",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.18:*:*:*:*:*:*:*",
"matchCriteriaId": "395C7BE2-EE16-4659-9E18-4A6F348D2428",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.19:*:*:*:*:*:*:*",
"matchCriteriaId": "A08BD56A-1033-452E-929A-A922277963BB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9A5F0F32-F5EF-4E9B-B832-115CC041BC6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "24AD7290-714C-48DB-88AF-EB83CEB7E879",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D2FF7823-F324-4428-A047-7A7B3C89E25A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "16816B8B-6E66-4F42-886C-FC44FC6108CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "46B33A86-0253-47E3-BC27-1AED5B8B3003",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in Apache Wicket 1.4.x before 1.4.20 and 1.5.x before 1.5.5 allows remote attackers to read arbitrary web-application files via a relative pathname in a URL for a Wicket resource that corresponds to a null package."
},
{
"lang": "es",
"value": "Vulnerabilidad de salto de directorio en Apache Wicket v1.4.x anteriores a v1.4.20 y v1.5.x anteriores a v1.5.5 permite a atacantes remotos leer ficheros de aplicaci\u00f3n Web a trav\u00e9s de rutas relativas en una URL en un recurso Wicket que corresponde un paquete nulo. \r\n\r\n\r\n"
}
],
"id": "CVE-2012-1089",
"lastModified": "2024-11-21T01:36:23.420",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-03-23T18:55:01.177",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://osvdb.org/80301"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://wicket.apache.org/2012/03/22/wicket-cve-2012-1089.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/52679"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74276"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/80301"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://wicket.apache.org/2012/03/22/wicket-cve-2012-1089.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/52679"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74276"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-08-11 19:15
Modified
2024-11-21 04:59
Severity ?
Summary
By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:fortress:2.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "D1E8415A-630F-49E7-884B-7709152FCC1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "78B9CFEA-EB05-4194-AD11-E9FE027E8672",
"versionEndExcluding": "7.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "433CC8EE-1FF6-4775-8BB3-C2856D0D6C84",
"versionEndExcluding": "8.9.0",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:9.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "0AF306D2-9108-49E8-993F-41D3727A0928",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:9.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "A5FEF5B5-EF69-4BD4-BACD-48B2997F1C31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:9.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "A6150044-BE40-41C8-AE2A-4467FB112979",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:9.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "1FC13E6E-5635-4A6F-809D-FF6E82105D25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:9.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "CEEA9DE0-E0C9-4840-9928-A079136324F0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5"
},
{
"lang": "es",
"value": "Al crear una URL especial, es posible hacer que Wicket entregue plantillas HTML no procesadas. Esto permitir\u00eda a un atacante visualizar informaci\u00f3n posiblemente confidencial dentro de una plantilla HTML que es com\u00fanmente eliminada durante la renderizaci\u00f3n. Est\u00e1n afectadas las versiones 7.16.0, 8.8.0 y 9.0.0-M5 de Apache Wicket"
}
],
"id": "CVE-2020-11976",
"lastModified": "2024-11-21T04:59:01.770",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-08-11T19:15:17.220",
"references": [
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r05340178680eb6b9d4d40d56b5621dd4ae9715e6f41f12ae2288ec49%40%3Cdev.directory.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Release Notes",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/r104eeefeb1e9da51f7ef79cef0f9ff12e21ef8559b77801e86b21e16%40%3Cusers.wicket.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r982c626dbce5c995223c4a6ddd7685de3592f8d65ba8372da1f3ce19%40%3Cdev.directory.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rd0f36b83cc9f28b016ec552f023fb5a59a9ea8db56f2b9dcc6a2f6b7%40%3Ccommits.directory.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rd26cae6e30b205e09e4b511d3d962d4f677c0c604f737997ce1b2f22%40%3Cdev.directory.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rdec0a43afdca59c10416889e07267f3d2fdf4ab929a6e22a2659b6ff%40%3Cdev.directory.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/re4af65851bf69605cfb68be215eba36d4cdc1a90b95fbc894799d923%40%3Cdev.directory.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/reb7ea8141c713b5b19eaf34c00f43aaebf5a1c116130f763c42bdad1%40%3Cdev.directory.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r05340178680eb6b9d4d40d56b5621dd4ae9715e6f41f12ae2288ec49%40%3Cdev.directory.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Release Notes",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/r104eeefeb1e9da51f7ef79cef0f9ff12e21ef8559b77801e86b21e16%40%3Cusers.wicket.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r982c626dbce5c995223c4a6ddd7685de3592f8d65ba8372da1f3ce19%40%3Cdev.directory.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rd0f36b83cc9f28b016ec552f023fb5a59a9ea8db56f2b9dcc6a2f6b7%40%3Ccommits.directory.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rd26cae6e30b205e09e4b511d3d962d4f677c0c604f737997ce1b2f22%40%3Cdev.directory.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rdec0a43afdca59c10416889e07267f3d2fdf4ab929a6e22a2659b6ff%40%3Cdev.directory.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/re4af65851bf69605cfb68be215eba36d4cdc1a90b95fbc894799d923%40%3Cdev.directory.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/reb7ea8141c713b5b19eaf34c00f43aaebf5a1c116130f763c42bdad1%40%3Cdev.directory.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-552"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-07-17 13:18
Modified
2024-11-21 02:56
Severity ?
Summary
The DiskFileItem class in Apache Wicket 6.x before 6.25.0 and 1.5.x before 1.5.17 allows remote attackers to cause a denial of service (infinite loop) and write to, move, and delete files with the permissions of DiskFileItem, and if running on a Java VM before 1.3.1, execute arbitrary code via a crafted serialized Java object.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F5365E26-1F47-4D90-9406-C78EA38B35FF",
"versionEndExcluding": "1.5.17",
"versionStartIncluding": "1.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D517A8BC-B16F-4B09-B4BB-49622CCDB564",
"versionEndExcluding": "6.25.0",
"versionStartIncluding": "6.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The DiskFileItem class in Apache Wicket 6.x before 6.25.0 and 1.5.x before 1.5.17 allows remote attackers to cause a denial of service (infinite loop) and write to, move, and delete files with the permissions of DiskFileItem, and if running on a Java VM before 1.3.1, execute arbitrary code via a crafted serialized Java object."
},
{
"lang": "es",
"value": "La clase de DiskFileItem en Apache Wicket versi\u00f3n 6.x anterior a 6.25.0 y versi\u00f3n 1.5.x anterior a 1.5.17 permite a los atacantes remotos causar una denegaci\u00f3n de servicio (infinite loop) escribir, mover y eliminar archivos con los permisos de DiskFileItem, y Si se ejecuta en una m\u00e1quina virtual Java versi\u00f3n anterior a la 1.3.1, ejecute un c\u00f3digo arbitrario por medio de un objeto Java serializado creado."
}
],
"id": "CVE-2016-6793",
"lastModified": "2024-11-21T02:56:50.030",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-07-17T13:18:06.500",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/12/31/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/539975/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/95168"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1037541"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://wicket.apache.org/news/2016/12/31/cve-2016-6793.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.tenable.com/security/research/tra-2016-23"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/12/31/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/539975/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/95168"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1037541"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://wicket.apache.org/news/2016/12/31/cve-2016-6793.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.tenable.com/security/research/tra-2016-23"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-03-23 18:55
Modified
2024-11-21 01:34
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the wicket:pageMapName parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | wicket | 1.4.0 | |
| apache | wicket | 1.4.1 | |
| apache | wicket | 1.4.2 | |
| apache | wicket | 1.4.3 | |
| apache | wicket | 1.4.4 | |
| apache | wicket | 1.4.5 | |
| apache | wicket | 1.4.6 | |
| apache | wicket | 1.4.7 | |
| apache | wicket | 1.4.8 | |
| apache | wicket | 1.4.9 | |
| apache | wicket | 1.4.10 | |
| apache | wicket | 1.4.11 | |
| apache | wicket | 1.4.12 | |
| apache | wicket | 1.4.13 | |
| apache | wicket | 1.4.14 | |
| apache | wicket | 1.4.15 | |
| apache | wicket | 1.4.16 | |
| apache | wicket | 1.4.17 | |
| apache | wicket | 1.4.18 | |
| apache | wicket | 1.4.19 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5DC8D24C-2501-4FA6-BAB9-F51D6CACEFC9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "22992CF6-6E59-47CD-ACA6-87EEB0E48FDA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1676E4E8-B7C4-4107-A8BF-D70F14B7230C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3606F125-B3D9-4347-965F-AE632D861543",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "03D21845-F146-4DDD-B4AD-C2A587652BB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "31022C02-15EE-4BF9-A224-F3B0073E0AF8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D474779B-A497-402A-96FA-372DE208C2CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6169BE6B-AF63-4DDC-8EBF-06DB55A3E9C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "B4AFDECA-4622-4517-A105-3CC5A28E8E59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.9:*:*:*:*:*:*:*",
"matchCriteriaId": "5633A8F1-3293-46A9-85CF-132DF43FA2EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "2E0C154E-D85F-4D98-BC14-378DDEBEDE63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.11:*:*:*:*:*:*:*",
"matchCriteriaId": "E2363D36-C48D-47E4-8870-81FE4204511E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.12:*:*:*:*:*:*:*",
"matchCriteriaId": "504D3DC9-DDF2-4162-AA55-947FF510392F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.13:*:*:*:*:*:*:*",
"matchCriteriaId": "E8F77C3A-2FF3-4F2D-B399-6969DB900364",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.14:*:*:*:*:*:*:*",
"matchCriteriaId": "B4145A4C-D783-426A-A59A-812C50E44DCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.15:*:*:*:*:*:*:*",
"matchCriteriaId": "DF61708E-E966-4C82-AEF8-CF2E08F69D2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.16:*:*:*:*:*:*:*",
"matchCriteriaId": "0D2E15E2-56F3-4B41-B8CB-97A196C201FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.17:*:*:*:*:*:*:*",
"matchCriteriaId": "0E8962F1-2107-455D-8197-AE08B4097B72",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.18:*:*:*:*:*:*:*",
"matchCriteriaId": "395C7BE2-EE16-4659-9E18-4A6F348D2428",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.19:*:*:*:*:*:*:*",
"matchCriteriaId": "A08BD56A-1033-452E-929A-A922277963BB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the wicket:pageMapName parameter."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en Apache Wicket v1.4.x anteriores a v1.4.20, permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s del par\u00e1metro wicket:pageMapName."
}
],
"id": "CVE-2012-0047",
"lastModified": "2024-11-21T01:34:17.037",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-03-23T18:55:01.127",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-03/0112.html"
},
{
"source": "secalert@redhat.com",
"url": "http://osvdb.org/80300"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://wicket.apache.org/2012/03/22/wicket-cve-2012-0047.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id?1026839"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74273"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-03/0112.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/80300"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://wicket.apache.org/2012/03/22/wicket-cve-2012-0047.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id?1026839"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74273"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}