CVE-2015-5347 Apache Wicket XSS vulnerability
Table of Contents
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: Apache Wicket 1.5.x, 6.x and 7.x
Description:
It is possible for JavaScript statements to break out of a ModalWindow’s title - only quotes are escaped in the JavaScript settings object, allowing JavaScript to be injected into the markup.
This might pose a security threat if the written JavaScript contains user provided data.
The title is now escaped by default, this can be disabled explicitly via modalWindow.setEscapeModelStrings(false).
The application developers are recommended to upgrade to:
Credit: This issue was reported by Tobias Gierke!
Apache Wicket Team