Full Disclosure mailing list archives
[CVE-2011-2712] Apache Wicket XSS vulnerability
From: Martin Grigorov <mgrigorov () apache org>
Date: Tue, 23 Aug 2011 21:22:28 +0300
Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Wicket 1.4.x Apache Wicket 1.3.x and 1.5-RCx are not affected Description: With multi window support application configuration and special query parameters it is possible to execute any kind of JavaScript on a site running with the affected versions. Mitigation: Either disable multi window support with org.apache.wicket.settings.IPageSettings.setAutomaticMultiWindowSupport(false) or upgrade to Apache Wicket 1.4.18 or 1.5-RC5.1. Credit: This issue was discovered by Sven Krewitt of TÜV Rheinland i-sec GmbH. Apache Wicket Team _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [CVE-2011-2712] Apache Wicket XSS vulnerability Martin Grigorov (Aug 24)