[CVE-2012-0047] Apache Wicket XSS vulnerability via pageMapName request parameter

---

• From: Martin Grigorov <mgrigorov@xxxxxxxxxx>
• Date: Thu, 22 Mar 2012 11:49:53 +0200

---

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Wicket 1.4.x

Apache Wicket 1.3.x and 1.5.x are not affected

Description:
A Cross Site Scripting (XSS) attack is possible by manipulating the
value of 'wicket:pageMapName'
request parameter.

Mitigation:
Upgrade to Apache Wicket 1.4.20 or 1.5.5.

Credit:
This issue was discovered by Jens Schenck.

Apache Wicket Team

---

• Prev by Date: struts2 xsltResult Local code execution vulnerability
• Next by Date: [CVE-2012-1089] Apache Wicket serving of hidden files vulnerability
• Previous by thread: struts2 xsltResult Local code execution vulnerability
• Next by thread: [CVE-2012-1089] Apache Wicket serving of hidden files vulnerability
• Index(es):
  • Date
  • Thread

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > bugtraq  > 2012-03