CVE-2012-5636 - Apache Wicket XSS vulnerability

03 Mar 2013

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Wicket 1.4.x, 1.5.x and 1.6.x

Description: It is possible for JavaScript statements to break out of a <script> tag in the rendered response. This might pose a security threat if the written JavaScript contains user provided data.

This vulnerability is fixed in Apache Wicket 6.4.0, Apache Wicket 1.5.10 and Apache Wicket 1.4.22.

Credit: This issue was reported by Michael Riedel.