[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[CVE-2012-3373] Apache Wicket XSS vulnerability via manipulated URL parameter
The Apache Software Foundation
Apache Wicket 1.4.x and 1.5.x
adding an encoded null byte to a URL pointing to a Wicket app. This
could be done by sending a legitimate user a manipulated URL and
tricking the user into clicking on it.
This vulnerability is fixed in
- Apache Wicket 1.4.21
- Apache Wicket 1.5.8
Apache Wicket 6.0.0 is not affected.
This issue was reported by Thomas Heigl.
Apache Wicket Team