CVE-2012-3373 - Apache Wicket XSS vulnerability

06 Sep 2012

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Wicket 1.4.x and 1.5.x

Description: It is possible to inject JavaScript statements into an ajax link by adding an encoded null byte to a URL pointing to a Wicket app. This could be done by sending a legitimate user a manipulated URL and tricking the user into clicking on it.

This vulnerability is fixed in Apache Wicket 1.4.21 and Apache Wicket 1.5.8.

Apache Wicket 6.0.0 is not affected.

Credit: This issue was reported by Thomas Heigl.