[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAMomwMou07GPB_gjTpS6pHjb+Y0pSstm57H+3u-+8b_F8YSHLg@mail.gmail.com>
Date: Tue, 23 Aug 2011 21:22:28 +0300
From: Martin Grigorov <mgrigorov@...che.org>
To: announce@...ket.apache.org, users@...ket.apache.org, dev@...ket.apache.org,
security@...che.org, full-disclosure@...ts.grok.org.uk,
bugtraq@...urityfocus.com
Subject: [CVE-2011-2712] Apache Wicket XSS vulnerability
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Wicket 1.4.x
Apache Wicket 1.3.x and 1.5-RCx are not affected
Description:
With multi window support application configuration and special query
parameters it
is possible to execute any kind of JavaScript on a site running with the
affected versions.
Mitigation:
Either disable multi window support with
org.apache.wicket.settings.IPageSettings.setAutomaticMultiWindowSupport(false)
or upgrade to Apache Wicket 1.4.18 or 1.5-RC5.1.
Credit:
This issue was discovered by Sven Krewitt of TÜV Rheinland i-sec GmbH.
Apache Wicket Team
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists