CVE-2012-0047 - Apache Wicket XSS vulnerability via pageMapName request parameter

22 Mar 2012

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Wicket 1.4.x

Apache Wicket 1.3.x and 1.5.x are not affected

Description: A Cross Site Scripting (XSS) attack is possible by manipulating the value of ‘wicket:pageMapName’ request parameter.

Mitigation: Upgrade to Apache Wicket 1.4.20 or Apache Wicket 1.5.5

Credit: This issue was discovered by Jens Schenck and Stefan Schmidt.