You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@wicket.apache.org by Sven Meier <sv...@apache.org> on 2016/03/01 17:07:30 UTC
[CVE-2015-5347] Apache Wicket XSS vulnerability
Severity:
Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Wicket 1.5.x, 6.x and 7.x
Description:
It is possible for JavaScript statements to break out of a ModalWindow's
title
- only quotes are escaped in the JavaScript settings object, allowing
JavaScript
to be injected into the markup.
This might pose a security threat if the written JavaScript contains
user provided data.
This vulnerability is fixed in
- Apache Wicket 7.2.0
- Apache Wicket 6.22.0
- Apache Wicket 1.5.15
The title is now escaped by default, this can be disabled explicitly via
modalWindow.setEscapeModelStrings(false).
Credit:
This issue was reported by Tobias Gierke!
Apache Wicket Team