You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@wicket.apache.org by Martin Grigorov <mg...@apache.org> on 2015/02/18 21:18:43 UTC

CVE-2014-7808

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Wicket 1.5.12, 6.18.0 and 7.0.0-M4

Description:

With Wicket's default security settings the usage of CryptoMapper to
encrypt/obfuscate pages' urls is not strong enough.
It is possible to predict the encrypted version of an url based on the
previous history.

The application developers using this feature are recommended to upgrade
to:
- Apache Wicket 1.5.13
- Apache Wicket 6.19.0
- Apache Wicket 7.0.0-M5

Credit:
This issue was reported by Fabian Faessler!

Apache Wicket Team