CVE-2011-2712 - Apache Wicket XSS vulnerability

23 Aug 2011

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Wicket 1.4.x

Apache Wicket 1.3.x and 1.5-RCx are not affected

Description: With multi window support application configuration and special query parameters it is possible to execute any kind of JavaScript on a site running with the affected versions.

Mitigation: Either disable multi window support with

public class MyApp extends WebApplication { 
    public void init() {
        super.init();
        getPageSettings.setAutomaticMultiWindowSupport(false);
    }
}

or upgrade to Apache Wicket 1.4.18 or Apache Wicket 1.5-RC5.1

Credit: This issue was discovered by Sven Krewitt of TÜV Rheinland i-sec GmbH.