You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@wicket.apache.org by Martin Grigorov <mg...@apache.org> on 2016/03/02 16:03:54 UTC

[CVE-2015-7520] Apache Wicket XSS vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Wicket 1.5.x, 6.x and 7.x

Description:

It is possible for JavaScript statements to break out of a RadioGroup’s and
CheckBoxMultipleChoice’s “value” attribute of <input> elements

This might pose a security threat if the written JavaScript contains user
provided data.

The application developers are recommended to upgrade to:

- Apache Wicket 1.5.15
- Apache Wicket 6.22.0
- Apache Wicket 7.2.0

Credit: This issue was reported by Canh Ngo!

Apache Wicket Team