You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by Martin Grigorov <mg...@apache.org> on 2015/02/18 21:18:43 UTC
CVE-2014-7808
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Wicket 1.5.12, 6.18.0 and 7.0.0-M4
Description:
With Wicket's default security settings the usage of CryptoMapper to
encrypt/obfuscate pages' urls is not strong enough.
It is possible to predict the encrypted version of an url based on the
previous history.
The application developers using this feature are recommended to upgrade
to:
- Apache Wicket 1.5.13
- Apache Wicket 6.19.0
- Apache Wicket 7.0.0-M5
Credit:
This issue was reported by Fabian Faessler!
Apache Wicket Team