Google Git
Sign in
apache / wicket-site / 295f8b6b82f39757edd800108793c17f1d360859 / . / content / news / 2012 / 09 / 06 / cve-2012-3373.html
blob: 3fd0ce5dc505c44acdf29033c881a5dc33f12c93 [file] [log] [blame]
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<meta charset="utf-8">
<title>CVE-2012-3373 - Apache Wicket XSS vulnerability | Apache Wicket</title>
<meta name="viewport" content="width=device-width, initial-scale=1" />
<link rel="shortcut icon" href="/favicon.ico" type="image/vnd.microsoft.icon" />
<link rel="stylesheet" href="/css/style.css" type="text/css" media="screen" />
<link href="//maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css" rel="stylesheet" />
<script src="//code.jquery.com/jquery-1.11.3.min.js"></script>
</head>
<body class="">
<div class="header default">
<div class="l-container">
<nav class="mainmenu">
<div class="nav-logo">
<a href="/"><img src="/img/logo-apachewicket.svg" alt="Apache Wicket"></a>
</div>
<div class="nav-container">
<!-- /start/quickstart.html || /news/2012/09/06/cve-2012-3373.html -->
<a href="/start/quickstart.html" class=" nav-items">Quick Start</a>
<!-- /start/download.html || /news/2012/09/06/cve-2012-3373.html -->
<a href="/start/download.html" class=" nav-items">Download</a>
<!-- /learn || /news/2012/09/06/cve-2012-3373.html -->
<a href="/learn" class=" nav-items">Documentation</a>
<!-- /help || /news/2012/09/06/cve-2012-3373.html -->
<a href="/help" class=" nav-items">Support</a>
<!-- /contribute || /news/2012/09/06/cve-2012-3373.html -->
<a href="/contribute" class=" nav-items">Contribute</a>
<!-- /community || /news/2012/09/06/cve-2012-3373.html -->
<a href="/community" class=" nav-items">Community</a>
<!-- /apache || /news/2012/09/06/cve-2012-3373.html -->
<a href="/apache" class=" nav-items">Apache</a>
</div>
<div class="nav-container ">
<a href="https://github.com/apache/wicket" target="_blank"><i class="fa fa-github nav-items"></i></a>
<a href="https://twitter.com/apache_wicket" target="_blank"><i class="fa fa-twitter nav-items"></i></a>
<a href="https://builtwithwicket.tumblr.com" target="_blank"><i class="fa fa-tumblr nav-items"></i></a>
</div>
</nav>
</div>
</div>
<main>
<div class="l-container">
<header class="l-full preamble">
<h1>CVE-2012-3373 - Apache Wicket XSS vulnerability</h1>
</header>
<section class="toc left post ">
</section>
<section>
<div class="l-full">
<p class="meta">06 Sep 2012</p>
<p>Severity: Important</p>
<p>Vendor:
The Apache Software Foundation</p>
<p>Versions Affected:
Apache Wicket 1.4.x and 1.5.x</p>
<p>Description:
It is possible to inject JavaScript statements into an ajax link by adding an
encoded null byte to a URL pointing to a Wicket app. This could be done by sending a
legitimate user a manipulated URL and tricking the user into clicking on it.</p>
<p>This vulnerability is fixed in
<a href="https://wicket.apache.org/news/2012/09/05/wicket-1.4.21-released.html">Apache Wicket 1.4.21</a> and
<a href="https://wicket.apache.org/news/2012/08/24/wicket-1.5.8-released.html">Apache Wicket 1.5.8</a>.</p>
<p><a href="https://wicket.apache.org/news/2012/09/05/wicket-6.0.0-released.html">Apache Wicket 6.0.0</a> is not affected.</p>
<p>Credit:
This issue was reported by Thomas Heigl.</p>
</div>
</section>
</div>
</main>
<footer>
<div class="l-container">
<div class="left">
<img src="/img/asf_logo_url.svg" style="height:90px; float:left; margin-right:10px;">
<div style="margin-top:12px;">Copyright © 2021 — The Apache Software Foundation. Apache Wicket, Wicket, Apache, the Apache feather logo, and the Apache Wicket project logo are trademarks of The Apache Software Foundation. All other marks mentioned may be trademarks or registered trademarks of their respective owners.</div>
</div>
</div>
</footer>
</body>
</html>