CVE-2015-5347 Apache Wicket XSS vulnerability

01 Mar 2016

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Wicket 1.5.x, 6.x and 7.x


It is possible for JavaScript statements to break out of a ModalWindow’s title - only quotes are escaped in the JavaScript settings object, allowing JavaScript to be injected into the markup.

This might pose a security threat if the written JavaScript contains user provided data.

The title is now escaped by default, this can be disabled explicitly via modalWindow.setEscapeModelStrings(false).

Credit: This issue was reported by Tobias Gierke!

Apache Wicket Team