Apache Wicket version 1.4.x suffers from a cross site scripting vulnerability.
9d87eb45b2ffcd8b3e5d95c70dbb91a574fa76f889edb2004d29a8fbcd9e71bc
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Wicket 1.4.x
Apache Wicket 1.3.x and 1.5-RCx are not affected
Description:
With multi window support application configuration and special query
parameters it
is possible to execute any kind of JavaScript on a site running with the
affected versions.
Mitigation:
Either disable multi window support with
org.apache.wicket.settings.IPageSettings.setAutomaticMultiWindowSupport(false)
or upgrade to Apache Wicket 1.4.18 or 1.5-RC5.1.
Credit:
This issue was discovered by Sven Krewitt of TÜV Rheinland i-sec GmbH.
Apache Wicket Team