You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by mg...@apache.org on 2016/03/02 16:00:54 UTC
wicket-site git commit: Add entry for CVE-2015-7520
Repository: wicket-site
Updated Branches:
refs/heads/asf-site 8c4a5a553 -> 1f9ec1bfe
Add entry for CVE-2015-7520
Project: http://git-wip-us.apache.org/repos/asf/wicket-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket-site/commit/1f9ec1bf
Tree: http://git-wip-us.apache.org/repos/asf/wicket-site/tree/1f9ec1bf
Diff: http://git-wip-us.apache.org/repos/asf/wicket-site/diff/1f9ec1bf
Branch: refs/heads/asf-site
Commit: 1f9ec1bfe6bd8dcd7da2b23ea4eb895117541fae
Parents: 8c4a5a5
Author: Martin Tzvetanov Grigorov <mg...@apache.org>
Authored: Wed Mar 2 16:00:33 2016 +0100
Committer: Martin Tzvetanov Grigorov <mg...@apache.org>
Committed: Wed Mar 2 16:00:33 2016 +0100
----------------------------------------------------------------------
_posts/2016/2016-03-02-cve-2015-7520.md | 30 +++
content/atom.xml | 271 ++++--------------------
content/index.html | 27 ++-
content/learn/index.html | 6 +-
content/news/2016/03/02/cve-2015-7520.html | 84 ++++++++
content/news/2016/03/index.html | 12 ++
content/news/2016/index.html | 6 +
content/news/index.html | 6 +
8 files changed, 193 insertions(+), 249 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/wicket-site/blob/1f9ec1bf/_posts/2016/2016-03-02-cve-2015-7520.md
----------------------------------------------------------------------
diff --git a/_posts/2016/2016-03-02-cve-2015-7520.md b/_posts/2016/2016-03-02-cve-2015-7520.md
new file mode 100644
index 0000000..d117dc4
--- /dev/null
+++ b/_posts/2016/2016-03-02-cve-2015-7520.md
@@ -0,0 +1,30 @@
+---
+layout: post
+title: CVE-2015-7520 Apache Wicket XSS vulnerability
+---
+
+Severity: Important
+
+Vendor:
+The Apache Software Foundation
+
+Versions Affected:
+Apache Wicket 1.5.x, 6.x and 7.x
+
+Description:
+
+It is possible for JavaScript statements to break out of a RadioGroup's
+and CheckBoxMultipleChoice's "value" attribute of <input> elements
+
+This might pose a security threat if the written JavaScript contains user provided data.
+
+## The application developers are recommended to upgrade to:
+
+* [Apache Wicket 1.5.15](/news/2016/02/19/wicket-1.5.15-released.html)
+* [Apache Wicket 6.22.0](/news/2016/02/19/wicket-6.22.0-released.html)
+* [Apache Wicket 7.2.0](/news/2016/01/20/wicket-7.2.0-released.html)
+
+Credit:
+This issue was reported by Canh Ngo!
+
+Apache Wicket Team
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/wicket-site/blob/1f9ec1bf/content/atom.xml
----------------------------------------------------------------------
diff --git a/content/atom.xml b/content/atom.xml
index b3b570e..51ac905 100644
--- a/content/atom.xml
+++ b/content/atom.xml
@@ -3,7 +3,7 @@
<title>Apache Wicket</title>
<link href="http://wicket.apache.org/atom.xml" rel="self"/>
<link href="http://wicket.apache.org/"/>
- <updated>2016-03-02T15:51:44+01:00</updated>
+ <updated>2016-03-02T15:59:59+01:00</updated>
<id>http://wicket.apache.org/</id>
<author>
<name>Apache Wicket</name>
@@ -12,6 +12,41 @@
<entry>
+ <title>CVE-2015-7520 Apache Wicket XSS vulnerability</title>
+ <link href="http://wicket.apache.org/news/2016/03/02/cve-2015-7520.html"/>
+ <updated>2016-03-02T00:00:00+01:00</updated>
+ <id>http://wicket.apache.org/news/2016/03/02/cve-2015-7520</id>
+ <content type="html"><p>Severity: Important</p>
+
+<p>Vendor:
+The Apache Software Foundation</p>
+
+<p>Versions Affected:
+Apache Wicket 1.5.x, 6.x and 7.x</p>
+
+<p>Description:</p>
+
+<p>It is possible for JavaScript statements to break out of a RadioGroup’s
+and CheckBoxMultipleChoice’s “value” attribute of &lt;input&gt; elements</p>
+
+<p>This might pose a security threat if the written JavaScript contains user provided data.</p>
+
+<h2 id="the-application-developers-are-recommended-to-upgrade-to">The application developers are recommended to upgrade to:</h2>
+
+<ul>
+ <li><a href="/news/2016/02/19/wicket-1.5.15-released.html">Apache Wicket 1.5.15</a></li>
+ <li><a href="/news/2016/02/19/wicket-6.22.0-released.html">Apache Wicket 6.22.0</a></li>
+ <li><a href="/news/2016/01/20/wicket-7.2.0-released.html">Apache Wicket 7.2.0</a></li>
+</ul>
+
+<p>Credit:
+This issue was reported by Canh Ngo!</p>
+
+<p>Apache Wicket Team</p>
+</content>
+ </entry>
+
+ <entry>
<title>CVE-2015-5347 Apache Wicket XSS vulnerability</title>
<link href="http://wicket.apache.org/news/2016/03/01/cve-2015-5347.html"/>
<updated>2016-03-01T00:00:00+01:00</updated>
@@ -76,10 +111,10 @@ update any other dependencies on Wicket projects to the same version):</p>
<p>Or download and build the distribution yourself, or use our
convenience binary package</p>
-<div class="highlight"><pre>
- * Source: http://www.apache.org/dyn/closer.cgi/wicket/6.22.0
- * Binaries: http://www.apache.org/dyn/closer.cgi/wicket/6.22.0/binaries
-</pre></div>
+<ul>
+ <li><a href="http://www.apache.org/dyn/closer.cgi/wicket/6.22.0">Sources</a></li>
+ <li><a href="http://www.apache.org/dyn/closer.cgi/wicket/6.22.0/binaries">Binaries</a></li>
+</ul>
<h3 id="upgrading-from-earlier-versions">Upgrading from earlier versions</h3>
@@ -704,230 +739,4 @@ All other brands and trademarks are the property of their respective owners.<
</content>
</entry>
- <entry>
- <title>Apache Wicket 7.0.0-M6 released</title>
- <link href="http://wicket.apache.org/news/2015/06/21/wicket-7.0.0-M6-released.html"/>
- <updated>2015-06-21T00:00:00+02:00</updated>
- <id>http://wicket.apache.org/news/2015/06/21/wicket-7.0.0-M6-released</id>
- <content type="html"><p>The Apache Wicket PMC is proud to announce Apache Wicket 7.0.0-M6!</p>
-
-<p>We have released another milestone release for Apache Wicket 7. We aim
-to finalise Wicket 7 over the coming months and request your help in
-testing the new major version.</p>
-
-<h3 id="caveats">Caveats</h3>
-
-<p>It is still a development version so expect API breaks to happen over
-the course of the coming milestone releases.</p>
-
-<h3 id="semantic-versioning">Semantic versioning</h3>
-
-<p>As we adopted semver Wicket 7 will be the first release since 6.0 where
-we are able to refactor the API. We will continue to use semver when we
-have made Wicket 7 final and maintain api compatibility between minor
-versions of Wicket 7.</p>
-
-<h3 id="requirements">Requirements</h3>
-
-<p>Wicket 7 requires the following:</p>
-
-<ul>
- <li>Java 7</li>
- <li>Servlet 3 compatible container</li>
-</ul>
-
-<p>You can’t mix wicket libraries from prior Wicket versions with Wicket 7.</p>
-
-<h3 id="migration-guide">Migration guide</h3>
-
-<p>As usual we have a migration guide available online for people
-migrating their applications to Wicket 7. We will continue to update
-the guide as development progresses. If you find something that is not
-in the guide, please update the guide, or let us know so we can update
-the guide.</p>
-
-<p>You can find the guide here: <a href="http://s.apache.org/wicket7migrate">http://s.apache.org/wicket7migrate</a></p>
-
-<h3 id="new-and-noteworthy">New and noteworthy</h3>
-
-<ul>
- <li>
- <p>New inline image support for the new data: protocol. See
-http://ci.apache.org/projects/wicket/apidocs/6.x/org/apache/wicket/markup/html/image/InlineImage.html
-for more information.</p>
- </li>
- <li>
- <p>Added CSRF prevention measure to Wicket. The
-CsrfPreventionRequestCycleListener
-(http://ci.apache.org/projects/wicket/apidocs/6.x/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.html)
-will prevent requests coming from other origins than allowed from
-performing actions. See the JavaDoc for more information on this
-listener.</p>
- </li>
- <li>
- <p>JQuery was upgraded to most recent version.</p>
- </li>
-</ul>
-
-<h3 id="using-this-release">Using this release</h3>
-
-<p>With Apache Maven update your dependency to (and don’t forget to
-update any other dependencies on Wicket projects to the same version):</p>
-
-<figure class="highlight"><pre><code class="language-xml" data-lang="xml"><span class="nt">&lt;dependency&gt;</span>
- <span class="nt">&lt;groupId&gt;</span>org.apache.wicket<span class="nt">&lt;/groupId&gt;</span>
- <span class="nt">&lt;artifactId&gt;</span>wicket-core<span class="nt">&lt;/artifactId&gt;</span>
- <span class="nt">&lt;version&gt;</span>7.0.0-M6<span class="nt">&lt;/version&gt;</span>
-<span class="nt">&lt;/dependency&gt;</span></code></pre></figure>
-
-<p>Or download and build the distribution yourself, or use our
-convenience binary package</p>
-
-<ul>
- <li>Source: <a href="http://www.apache.org/dyn/closer.cgi/wicket/7.0.0-M6">http://www.apache.org/dyn/closer.cgi/wicket/7.0.0-M6</a></li>
- <li>Binary: <a href="http://www.apache.org/dyn/closer.cgi/wicket/7.0.0-M6/binaries">http://www.apache.org/dyn/closer.cgi/wicket/7.0.0-M6/binaries</a></li>
-</ul>
-
-<h3 id="about-this-release">About this release</h3>
-
-<p>Below you can find the cryptographic signatures for the distributions
-and the release notes.</p>
-
-<h4 id="the-signatures-for-the-source-release-artefacts">The signatures for the source release artefacts:</h4>
-
-<p>The signatures for the source release artefacts:</p>
-
-<p>Signature for apache-wicket-7.0.0-M6.zip:</p>
-
-<div class="highlight"><pre>
------BEGIN PGP SIGNATURE-----
-Comment: GPGTools - https://gpgtools.org
-
-iEYEABECAAYFAlWANLgACgkQJBX8W/xy/UXSmQCgtAb+JrBeiq4+OdbpbN22sy+/
-F3YAn2ZeQ4byJPdmc4m4K6LLgg41AWSU
-=xN5i
------END PGP SIGNATURE-----
-</pre></div>
-
-<p>Signature for apache-wicket-7.0.0-M6.tar.gz:</p>
-
-<div class="highlight"><pre>
------BEGIN PGP SIGNATURE-----
-Comment: GPGTools - https://gpgtools.org
-
-iEYEABECAAYFAlWANLgACgkQJBX8W/xy/UUEsACgxiS2RQzuOi35Yw5C4c90KAFZ
-yPIAoMU7z9Go0pn5ZFKZwq+VDA0cvoh4
-=KW/I
------END PGP SIGNATURE-----
-</pre></div>
-
-<h4 id="changelog-for-700-m6">CHANGELOG for 7.0.0-M6:</h4>
-
-<p>Release Notes - Wicket - Version 7.0.0-M6</p>
-
-<h4 id="bugs">Bugs</h4>
-
-<div class="highlighter-rouge"><pre class="highlight"><code>* [WICKET-5790] - VariableInterpolator &amp; #getThrowExceptionOnMissingResource
-* [WICKET-5814] - CryptoMapper clears feedback messages
-* [WICKET-5816] - Apps can't use Application.setName instead of WicketFilter for e.g. JMX names
-* [WICKET-5822] - AjaxSelfUpdatingTimer stops working after ajax download
-* [WICKET-5825] - Deployment of wicket-examples.war fails in Tomcat
-* [WICKET-5828] - PageProvider not serializable
-* [WICKET-5834] - NPE in DefaultPropertyResolver
-* [WICKET-5835] - InlineEnclosure doesn't call child.configure() before updating its visilbity
-* [WICKET-5837] - JUnit tests may fail because of AbstractDefaultAjaxBehavior
-* [WICKET-5838] - Last-modified header of external markup is ignored
-* [WICKET-5841] - continueToOriginalDestination() discards new cookies
-* [WICKET-5843] - CryptoMapper doesn't work with context relative UrlResourceReferences
-* [WICKET-5845] - AuthenticatedWebSession.get() returns a new session with signedIn false
-* [WICKET-5850] - LazyInitProxyFactory causes NoClassDefFound org/apache/wicket/proxy/ILazyInitProxy in case of multimodule deployment
-* [WICKET-5851] - PackageResourceTest#packageResourceGuard test fails under Windows
-* [WICKET-5853] - LongConverter converts some values greater than Long.MAX_VALUE
-* [WICKET-5855] - RememberMe functionality seems to be broken after the change of the default crypt factory
-* [WICKET-5856] - StackOverFlowError when working with transparent containers
-* [WICKET-5857] - PagingNavigator invalid HTML (rel attribute on span tag)
-* [WICKET-5858] - AjaxRequestTarget.focusComponent does not work in modal window
-* [WICKET-5861] - BigDecimalConverter does not allow parsing of values great than Double.MAX_VALUE
-* [WICKET-5862] - Wicket Container visibility bug
-* [WICKET-5864] - Multipart Ajax form submit does not release the channel in case of connection failure
-* [WICKET-5869] - Kittencaptcha doesn't calculate click y-coordinate correctly
-* [WICKET-5870] - wicket-event-jquery.js: Wicket.Browser.isIE11() does not return boolean
-* [WICKET-5874] - WicketTester TagTester does not work as expected when using non self closing tags
-* [WICKET-5879] - Using an AjaxSubmitLink to hide its form results in an exception
-* [WICKET-5881] - NPE in FormComponent#updateCollectionModel in case of no converted input and unmodifiable collection
-* [WICKET-5883] - Feedback messages not cleared for invisible/disabled form components on submit.
-* [WICKET-5887] - wicket.xsd refers to non-existing xhtml.label:attlist
-* [WICKET-5891] - Parsing of ChinUnionPay credit card should use the first 6 characters
-* [WICKET-5893] - CookieUtils should use the original response when saving a cookie
-* [WICKET-5895] - validateHeaders fails to detect missing head/body (regression)
-* [WICKET-5898] - StackOverflowError after form submit with a validation error
-* [WICKET-5900] - Add WicketTester support for IAjaxLink
-* [WICKET-5903] - Regression in mount resolution when using optional parameters
-* [WICKET-5904] - NPE after editing a markup file in debug mode
-* [WICKET-5906] - Use default on missing resource does not work
-* [WICKET-5908] - A new HtmlHeaderContainer is added each time a page instance is rendered
-* [WICKET-5910] - CGLib proxy should not intercept protected methods
-* [WICKET-5911] - Re-rendering page after exception in render phase does not call onBeforeRender()
-* [WICKET-5912] - NPE in Page#hasInvisibleTransparentChild
-* [WICKET-5915] - The application can not find /META-INF/wicket/**.properties on Windows systems
-* [WICKET-5916] - StackOverflowError when calling getObject() from load() in LDM
-* [WICKET-5917] - Do not use jQuery's $ in String snippets in Java code
-</code></pre>
-</div>
-
-<h4 id="improvement">Improvement</h4>
-
-<div class="highlighter-rouge"><pre class="highlight"><code>* [WICKET-5314] - AbstractAutoCompleteBehavior does not support AjaxChannels
-* [WICKET-5749] - Wicket-auth-roles should deal with resource authorization
-* [WICKET-5789] - Make org.apache.wicket.protocol.ws.javax.WicketServerEndpointConfig publicly visible
-* [WICKET-5801] - Responsive Images
-* [WICKET-5823] - DefaultAuthenticationStrategy should be modified to reduce copy/paste while extending it's functionality
-* [WICKET-5829] - rename PageSettings#recreateMountedPagesAfterExpiry
-* [WICKET-5831] - Improve unsafe Id reporting in the AbstractRepeater
-* [WICKET-5832] - Do not fail at CDI's ConversationPropagator when running in non-http thread
-* [WICKET-5833] - Add a way to get all opened web socket connections per user session
-* [WICKET-5840] - WicketTester doesn't support #clickLink() for ExternalLink component
-* [WICKET-5859] - Add Hebrew and Arabic translations
-* [WICKET-5860] - Cross-Site Websocket Hijacking protection
-* [WICKET-5863] - Overiding disableCaching in ServletWebResponse is ignored when responce is buffered
-* [WICKET-5865] - AjaxEditableLabel should implement IGenericComponent
-* [WICKET-5872] - wicket extensions initializer.properties for greek language
-* [WICKET-5875] - ComponentRenderer.renderComponent() unexpectedly produces a WicketRuntimeException when called with a nested Component which contains a nested wicket:message
-* [WICKET-5889] - Ability to not submit a nested form
-* [WICKET-5892] - add ClientProperties#isJavaScriptEnabled()
-* [WICKET-5894] - Support *.woff2 webfonts in SecurePackageResourceGuard as well
-* [WICKET-5901] - Leaving veil when ajax processing ends with redirect
-* [WICKET-5905] - allow listening to Ajax calls before scheduling
-* [WICKET-5921] - Provide a default implementation of IModelComparator that always returns false
-</code></pre>
-</div>
-
-<h4 id="new-feature">New Feature</h4>
-
-<div class="highlighter-rouge"><pre class="highlight"><code>* [WICKET-5819] - Support for HTML 5 media tags (audio / video)
-* [WICKET-5827] - Allow to apply multiple Javascript / CSS compressors
-* [WICKET-5897] - Use the #isEnabled() method with validators
-* [WICKET-5918] - Create an Image component that uses the new data: protocol (an InlineImage)
-* [WICKET-5919] - Add support for CSRF prevention
-</code></pre>
-</div>
-
-<h4 id="task">Task</h4>
-
-<div class="highlighter-rouge"><pre class="highlight"><code>* [WICKET-5896] - Upgrade jQuery to latest stable versions (1.11.4 &amp; 2.1.3)
-</code></pre>
-</div>
-
-<h4 id="wish">Wish</h4>
-
-<div class="highlighter-rouge"><pre class="highlight"><code>* [WICKET-5848] - Remove .settings folders of projects
-</code></pre>
-</div>
-
-<p>Have fun!</p>
-
-<p>— The Wicket team</p>
-</content>
- </entry>
-
</feed>
http://git-wip-us.apache.org/repos/asf/wicket-site/blob/1f9ec1bf/content/index.html
----------------------------------------------------------------------
diff --git a/content/index.html b/content/index.html
index 4746ca3..96bd38f 100644
--- a/content/index.html
+++ b/content/index.html
@@ -244,20 +244,17 @@ The release consist of almost 300 features, improvements and fixes. In accordanc
</div>
<div class="l-two-third">
<article>
- <h2>CVE-2015-5347 Apache Wicket XSS vulnerability</h2>
- <small>01 Mar 2016</small>
+ <h2>CVE-2015-7520 Apache Wicket XSS vulnerability</h2>
+ <small>02 Mar 2016</small>
<p>Severity: Important</p>
<p>Vendor:
The Apache Software Foundation</p>
<p>Versions Affected:
Apache Wicket 1.5.x, 6.x and 7.x</p>
<p>Description:</p>
-<p>It is possible for JavaScript statements to break out of a ModalWindow’s
-title - only quotes are escaped in the JavaScript settings object, allowing JavaScript
-to be injected into the markup.</p>
+<p>It is possible for JavaScript statements to break out of a RadioGroup’s
+and CheckBoxMultipleChoice’s “value” attribute of <input> elements</p>
<p>This might pose a security threat if the written JavaScript contains user provided data.</p>
-<p>The title is now escaped by default, this can be disabled explicitly via
- modalWindow.setEscapeModelStrings(false).</p>
<h2 id="the-application-developers-are-recommended-to-upgrade-to">The application developers are recommended to upgrade to:</h2>
<ul>
<li><a href="/news/2016/02/19/wicket-1.5.15-released.html">Apache Wicket 1.5.15</a></li>
@@ -265,9 +262,9 @@ to be injected into the markup.</p>
<li><a href="/news/2016/01/20/wicket-7.2.0-released.html">Apache Wicket 7.2.0</a></li>
</ul>
<p>Credit:
-This issue was reported by Tobias Gierke!</p>
+This issue was reported by Canh Ngo!</p>
<p>Apache Wicket Team</p>
- <a href="/news/2016/03/01/cve-2015-5347.html">Read more...</a>
+ <a href="/news/2016/03/02/cve-2015-7520.html">Read more...</a>
</article>
</div>
<div class="l-one-third news">
@@ -279,6 +276,12 @@ title="Atom 1.0 feed" href="/atom.xml">RSS feed</a> to
get updates in your favorite RSS reader the moment they happen.</p>
<ul>
<li>
+ <h3>CVE-2015-5347 Apache Wicket XSS vulnerability</h3>
+ <small>01 Mar 2016</small>
+ Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Wicket 1.5.x, 6.x and 7.x Description: It is possible for JavaScript statements to break out...
+ <a href="/news/2016/03/01/cve-2015-5347.html">more</a>
+</li>
+<li>
<h3>Apache Wicket 6.22.0 released</h3>
<small>19 Feb 2016</small>
The Apache Wicket PMC is proud to announce Apache Wicket 6.22.0! This release marks another minor release of Wicket 6. We use semantic versioning for...
@@ -302,12 +305,6 @@ get updates in your favorite RSS reader the moment they happen.</p>
The Apache Wicket PMC is proud to announce Apache Wicket 6.21.0! This release marks another minor release of Wicket 6. We use semantic versioning for...
<a href="/news/2015/11/16/wicket-6.21.0-released.html">more</a>
</li>
-<li>
- <h3>Apache Wicket 1.4.x end of life</h3>
- <small>15 Nov 2015</small>
- The Apache Wicket team announces that support for Apache Wicket 1.4.x ends on 16 November 2015. On the same day Wicket 1.5.x enters “security fixes”...
- <a href="/news/2015/11/15/wicket-1.4.x-eol.html">more</a>
-</li>
</ul>
</div>
<div class="l-first"></div>
http://git-wip-us.apache.org/repos/asf/wicket-site/blob/1f9ec1bf/content/learn/index.html
----------------------------------------------------------------------
diff --git a/content/learn/index.html b/content/learn/index.html
index 87dbd83..49fb172 100644
--- a/content/learn/index.html
+++ b/content/learn/index.html
@@ -72,13 +72,13 @@ We also publish a news item on our website with the announcement, and it is also
<p>Here are the most recent headlines:</p>
<ul>
<li>
- <p><a href="/news/2016/03/01/cve-2015-5347.html">CVE-2015-5347 Apache Wicket XSS vulnerability</a> <small>01 Mar 2016</small></p>
+ <p><a href="/news/2016/03/02/cve-2015-7520.html">CVE-2015-7520 Apache Wicket XSS vulnerability</a> <small>02 Mar 2016</small></p>
</li>
<li>
- <p><a href="/news/2016/02/19/wicket-6.22.0-released.html">Apache Wicket 6.22.0 released</a> <small>19 Feb 2016</small></p>
+ <p><a href="/news/2016/03/01/cve-2015-5347.html">CVE-2015-5347 Apache Wicket XSS vulnerability</a> <small>01 Mar 2016</small></p>
</li>
<li>
- <p><a href="/news/2016/02/19/wicket-1.5.15-released.html">Wicket 1.5.15 released</a> <small>19 Feb 2016</small></p>
+ <p><a href="/news/2016/02/19/wicket-6.22.0-released.html">Apache Wicket 6.22.0 released</a> <small>19 Feb 2016</small></p>
</li>
</ul>
<p>The complete articles and all other news items are available in the <a href="/news">archives</a>.</p>
http://git-wip-us.apache.org/repos/asf/wicket-site/blob/1f9ec1bf/content/news/2016/03/02/cve-2015-7520.html
----------------------------------------------------------------------
diff --git a/content/news/2016/03/02/cve-2015-7520.html b/content/news/2016/03/02/cve-2015-7520.html
new file mode 100644
index 0000000..5dfb908
--- /dev/null
+++ b/content/news/2016/03/02/cve-2015-7520.html
@@ -0,0 +1,84 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+ <meta charset="utf-8">
+ <title>CVE-2015-7520 Apache Wicket XSS vulnerability | Apache Wicket</title>
+ <meta name="viewport" content="width=device-width, initial-scale=1" />
+
+ <link rel="shortcut icon" href="/favicon.ico" type="image/vnd.microsoft.icon" />
+ <link rel="stylesheet" href="/css/style.css" type="text/css" media="screen" />
+ <link href="//maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css" rel="stylesheet" />
+
+ <script src="//code.jquery.com/jquery-1.11.3.min.js"></script>
+
+ </head>
+
+ <body class="">
+ <div class="header default">
+ <div class="l-container">
+<nav class="mainmenu">
+ <ul>
+ <!-- /start/quickstart.html || /news/2016/03/02/cve-2015-7520.html -->
+ <li class=""><a href="/start/quickstart.html">Quick Start</a></li>
+ <!-- /start/download.html || /news/2016/03/02/cve-2015-7520.html -->
+ <li class=""><a href="/start/download.html">Download</a></li>
+ <!-- /learn || /news/2016/03/02/cve-2015-7520.html -->
+ <li class=""><a href="/learn">Documentation</a></li>
+ <!-- /help || /news/2016/03/02/cve-2015-7520.html -->
+ <li class=""><a href="/help">Support</a></li>
+ <!-- /contribute || /news/2016/03/02/cve-2015-7520.html -->
+ <li class=""><a href="/contribute">Contribute</a></li>
+ <!-- /community || /news/2016/03/02/cve-2015-7520.html -->
+ <li class=""><a href="/community">Community</a></li>
+ <!-- /apache || /news/2016/03/02/cve-2015-7520.html -->
+ <li class=""><a href="/apache">Apache</a></li>
+ </ul>
+</nav>
+ <div class="logo">
+ <a href="/"><img src="/img/logo-apachewicket-white.svg" alt="Apache Wicket"></a>
+</div>
+ </div>
+</div>
+<main>
+ <div class="l-container">
+ <header class="l-full preamble">
+ <h1>CVE-2015-7520 Apache Wicket XSS vulnerability</h1>
+ </header>
+ <section class="l-one-third right">
+ <div id="toc" class="toc"><div id="toc-title"><h2>Table of Contents</h2></div><ul><li class="toc--level-1 toc--section-1"><a href="#the-application-developers-are-recommended-to-upgrade-to"><span class="toc-number">1</span> <span class="toc-text">The application developers are recommended to upgrade to:</span></a></li></ul></div>
+ </section>
+ <section class="l-two-third left">
+ <div class="l-full">
+ <p class="meta">02 Mar 2016</p>
+ <p>Severity: Important</p>
+<p>Vendor:
+The Apache Software Foundation</p>
+<p>Versions Affected:
+Apache Wicket 1.5.x, 6.x and 7.x</p>
+<p>Description:</p>
+<p>It is possible for JavaScript statements to break out of a RadioGroup’s
+and CheckBoxMultipleChoice’s “value” attribute of <input> elements</p>
+<p>This might pose a security threat if the written JavaScript contains user provided data.</p>
+<h2 id="the-application-developers-are-recommended-to-upgrade-to">The application developers are recommended to upgrade to:</h2>
+<ul>
+ <li><a href="/news/2016/02/19/wicket-1.5.15-released.html">Apache Wicket 1.5.15</a></li>
+ <li><a href="/news/2016/02/19/wicket-6.22.0-released.html">Apache Wicket 6.22.0</a></li>
+ <li><a href="/news/2016/01/20/wicket-7.2.0-released.html">Apache Wicket 7.2.0</a></li>
+</ul>
+<p>Credit:
+This issue was reported by Canh Ngo!</p>
+<p>Apache Wicket Team</p>
+</div>
+ </section>
+ </div>
+</main>
+ <footer class="l-container">
+ <div class="l-full">
+ <img src="/img/asf_logo_url.svg" style="height:90px; float:left; margin-right:10px;">
+ <div style="margin-top:12px;">Copyright © 2016 — The Apache Software Foundation. Apache Wicket, Wicket, Apache, the Apache feather logo, and the Apache Wicket project logo are trademarks of The Apache Software Foundation. All other marks mentioned may be trademarks or registered trademarks of their respective owners.</div>
+</div>
+ </footer>
+ </body>
+
+</html>
http://git-wip-us.apache.org/repos/asf/wicket-site/blob/1f9ec1bf/content/news/2016/03/index.html
----------------------------------------------------------------------
diff --git a/content/news/2016/03/index.html b/content/news/2016/03/index.html
index 01d0a1b..738f05d 100644
--- a/content/news/2016/03/index.html
+++ b/content/news/2016/03/index.html
@@ -59,6 +59,18 @@ Apache Wicket 1.5.x, 6.x and 7.x</p>
title - only quotes are escaped in the JavaScrip...</p>
<a href="/news/2016/03/01/cve-2015-5347.html">more</a></li>
</div>
+<div class="news">
+ <h3>CVE-2015-7520 Apache Wicket XSS vulnerability</h3>
+ <p><small>02 Mar 2016</small></p>
+ <p>Severity: Important</p>
+<p>Vendor:
+The Apache Software Foundation</p>
+<p>Versions Affected:
+Apache Wicket 1.5.x, 6.x and 7.x</p>
+<p>Description:</p>
+<p>It is possible for JavaScript statements to break out of a RadioGroup...</p>
+ <a href="/news/2016/03/02/cve-2015-7520.html">more</a></li>
+</div>
</div>
<div class="l-one-third">
<h2>2016</h2>
http://git-wip-us.apache.org/repos/asf/wicket-site/blob/1f9ec1bf/content/news/2016/index.html
----------------------------------------------------------------------
diff --git a/content/news/2016/index.html b/content/news/2016/index.html
index a99133b..2123e65 100644
--- a/content/news/2016/index.html
+++ b/content/news/2016/index.html
@@ -52,6 +52,12 @@
<p>This section contains all news items published in <a href="/news/2016/03">March 2016</a>.</p>
</div>
<div class="l-full">
+ <h3 id="/news/2016/03/02/cve-2015-7520.html">CVE-2015-7520 Apache Wicket XSS vulnerability</h3>
+ <small>02 Mar 2016</small>
+ <p>Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Wicket 1.5.x, 6.x and 7.x Description: It is possible for JavaScript statements to break out...
+ <a href="/news/2016/03/02/cve-2015-7520.html">more</a></li></p>
+ </div>
+ <div class="l-full">
<h3 id="/news/2016/03/01/cve-2015-5347.html">CVE-2015-5347 Apache Wicket XSS vulnerability</h3>
<small>01 Mar 2016</small>
<p>Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Wicket 1.5.x, 6.x and 7.x Description: It is possible for JavaScript statements to break out...
http://git-wip-us.apache.org/repos/asf/wicket-site/blob/1f9ec1bf/content/news/index.html
----------------------------------------------------------------------
diff --git a/content/news/index.html b/content/news/index.html
index f8a6f5e..e659b14 100644
--- a/content/news/index.html
+++ b/content/news/index.html
@@ -52,6 +52,12 @@
<h1 id="all-news-for-2016">All News for 2016</h1>
<p>This section contains all news items published in <a href="/news/2016">2016</a>.</p>
<article>
+ <h3 id="/news/2016/03/02/cve-2015-7520.html">CVE-2015-7520 Apache Wicket XSS vulnerability</h3>
+ <small>02 Mar 2016</small>
+ <p>Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Wicket 1.5.x, 6.x and 7.x Description: It is possible for JavaScript statements to break out of a RadioGroup’s and CheckBoxMultipleChoice’s “value” attribute of <input> elements This might pose a security threat if the written JavaScript contains user provided data. The...
+ <a href="/news/2016/03/02/cve-2015-7520.html">more</a></p>
+</article>
+ <article>
<h3 id="/news/2016/03/01/cve-2015-5347.html">CVE-2015-5347 Apache Wicket XSS vulnerability</h3>
<small>01 Mar 2016</small>
<p>Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Wicket 1.5.x, 6.x and 7.x Description: It is possible for JavaScript statements to break out of a ModalWindow’s title - only quotes are escaped in the JavaScript settings object, allowing JavaScript to be injected into the markup. This might pose...