| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 25 Aug 2011 13:52:28 -0700 From: Steven Nuhn <steve@...ndcomputers.net> To: Martin Grigorov <mgrigorov@...che.org>, "announce@...ket.apache.org" <announce@...ket.apache.org>, "users@...ket.apache.org" <users@...ket.apache.org>, "dev@...ket.apache.org" <dev@...ket.apache.org>, "security@...che.org" <security@...che.org>, "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>, "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com> Subject: Re: [CVE-2011-2712] Apache Wicket XSS vulnerability Martin Grigorov <mgrigorov@...che.org> wrote: Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Wicket 1.4.x Apache Wicket 1.3.x and 1.5-RCx are not affected Description: With multi window support application configuration and special query parameters it is possible to execute any kind of JavaScript on a site running with the affected versions. Mitigation: Either disable multi window support with org.apache.wicket.settings.IPageSettings.setAutomaticMultiWindowSupport(false) or upgrade to Apache Wicket 1.4.18 or 1.5-RC5.1. Credit: This issue was discovered by Sven Krewitt of TÜV Rheinland i-sec GmbH. Apache Wicket Team _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists