You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@wicket.apache.org by Sven Meier <sv...@apache.org> on 2016/03/01 17:07:30 UTC

[CVE-2015-5347] Apache Wicket XSS vulnerability

Severity:
Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Wicket 1.5.x, 6.x and 7.x

Description:
It is possible for JavaScript statements to break out of a ModalWindow's 
title
- only quotes are escaped in the JavaScript settings object, allowing 
JavaScript
to be injected into the markup.

This might pose a security threat if the written JavaScript contains 
user provided data.

This vulnerability is fixed in
- Apache Wicket 7.2.0
- Apache Wicket 6.22.0
- Apache Wicket 1.5.15

The title is now escaped by default, this can be disabled explicitly via
   modalWindow.setEscapeModelStrings(false).

Credit:
This issue was reported by Tobias Gierke!

Apache Wicket Team