CVE-2015-7520 Apache Wicket XSS vulnerability

02 Mar 2016

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Wicket 1.5.x, 6.x and 7.x


It is possible for JavaScript statements to break out of a RadioGroup’s and CheckBoxMultipleChoice’s “value” attribute of <input> elements

This might pose a security threat if the written JavaScript contains user provided data.

Credit: This issue was reported by Canh Ngo!

Apache Wicket Team