[CVE-2012-3373] Apache Wicket XSS vulnerability via manipulated URL parameter
- From: Carl-Eric Menzel <cmenzel@xxxxxxxxxxxxx>
- Date: Thu, 6 Sep 2012 15:37:45 +0200
The Apache Software Foundation
Apache Wicket 1.4.x and 1.5.x
adding an encoded null byte to a URL pointing to a Wicket app. This
could be done by sending a legitimate user a manipulated URL and
tricking the user into clicking on it.
This vulnerability is fixed in
- Apache Wicket 1.4.21
- Apache Wicket 1.5.8
Apache Wicket 6.0.0 is not affected.
This issue was reported by Thomas Heigl.
Apache Wicket Team
- Prev by Date: [SECURITY] [DSA 2539-1] zabbix security update
- Next by Date: Internet Explorer Script Interjection Code Execution (updated)
- Previous by thread: [SECURITY] [DSA 2539-1] zabbix security update
- Next by thread: Internet Explorer Script Interjection Code Execution (updated)