lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAMomwMqkV4r4AXvzTt8bdofFtR6u+671Sx2j8zySRAx1wo1G0Q@mail.gmail.com>
Date: Thu, 22 Mar 2012 11:49:53 +0200
From: Martin Grigorov <mgrigorov@...che.org>
To: announce@...ket.apache.org, users@...ket.apache.org, dev@...ket.apache.org
Cc: security@...che.org, full-disclosure@...ts.grok.org.uk,
  bugtraq@...urityfocus.com
Subject: [CVE-2012-0047] Apache Wicket XSS vulnerability via pageMapName
 request parameter

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Wicket 1.4.x

Apache Wicket 1.3.x and 1.5.x are not affected

Description:
A Cross Site Scripting (XSS) attack is possible by manipulating the
value of 'wicket:pageMapName'
request parameter.

Mitigation:
Upgrade to Apache Wicket 1.4.20 or 1.5.5.

Credit:
This issue was discovered by Jens Schenck.

Apache Wicket Team

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ