content/news/2016/03/01/cve-2015-5347.html - wicket-site - Git at Google

 <!DOCTYPE html>
 <html>
     <head>
         <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
         <meta charset="utf-8">


         <title>CVE-2015-5347 Apache Wicket XSS vulnerability | Apache Wicket</title>
         <meta name="viewport" content="width=device-width, initial-scale=1" />

         <link rel="shortcut icon" href="/favicon.ico" type="image/vnd.microsoft.icon" />
         <link rel="stylesheet" href="/css/style.css" type="text/css" media="screen" />
         <link href="//maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css" rel="stylesheet" />

 		<script src="//code.jquery.com/jquery-1.11.3.min.js"></script>


     </head>
     <body class="">
         <div class="header default">
     <div class="l-container">

 <nav class="mainmenu">
     <div class="nav-logo">
     <a href="/"><img src="/img/logo-apachewicket.svg" alt="Apache Wicket"></a>
 </div>

     <div class="nav-container">


 		<!-- /start/quickstart.html || /news/2016/03/01/cve-2015-5347.html -->


     	<a href="/start/quickstart.html" class=" nav-items">Quick Start</a>


 		<!-- /start/download.html || /news/2016/03/01/cve-2015-5347.html -->


     	<a href="/start/download.html" class=" nav-items">Download</a>


 		<!-- /learn || /news/2016/03/01/cve-2015-5347.html -->


     	<a href="/learn" class=" nav-items">Documentation</a>


 		<!-- /help || /news/2016/03/01/cve-2015-5347.html -->


     	<a href="/help" class=" nav-items">Support</a>


 		<!-- /contribute || /news/2016/03/01/cve-2015-5347.html -->


     	<a href="/contribute" class=" nav-items">Contribute</a>


 		<!-- /community || /news/2016/03/01/cve-2015-5347.html -->


     	<a href="/community" class=" nav-items">Community</a>


 		<!-- /apache || /news/2016/03/01/cve-2015-5347.html -->


     	<a href="/apache" class=" nav-items">Apache</a>

     </div>
     <div class="nav-container  ">
         <a href="https://github.com/apache/wicket" target="_blank"><i class="fa fa-github nav-items"></i></a>
         <a href="https://twitter.com/apache_wicket" target="_blank"><i class="fa fa-twitter nav-items"></i></a>
         <a href="https://builtwithwicket.tumblr.com" target="_blank"><i class="fa fa-tumblr nav-items"></i></a>
     </div>
 </nav>

     </div>
 </div>
 <main>
     <div class="l-container">
         <header class="l-full preamble">
             <h1>CVE-2015-5347 Apache Wicket XSS vulnerability</h1>


         </header>
         <section class="toc left post ">
             <div id="toc" class="toc"><div id="toc-title"><h2>Table of Contents</h2></div><ul><li class="toc--level-1 toc--section-1"><a href="#the-application-developers-are-recommended-to-upgrade-to"><span class="toc-number">1</span> <span class="toc-text">The application developers are recommended to upgrade to:</span></a></li></ul></div>
         </section>
         <section>
             <div class="l-full">
     <p class="meta">01 Mar 2016</p>
     <p>Severity: Important</p>

 <p>Vendor:
 The Apache Software Foundation</p>

 <p>Versions Affected:
 Apache Wicket 1.5.x, 6.x and 7.x</p>

 <p>Description:</p>

 <p>It is possible for JavaScript statements to break out of a ModalWindow’s
 title - only quotes are escaped in the JavaScript settings object, allowing JavaScript
 to be injected into the markup.</p>

 <p>This might pose a security threat if the written JavaScript contains user provided data.</p>

 <p>The title is now escaped by default, this can be disabled explicitly via
   modalWindow.setEscapeModelStrings(false).</p>

 <h2 id="the-application-developers-are-recommended-to-upgrade-to">The application developers are recommended to upgrade to:</h2>

 <ul>
   <li><a href="/news/2016/02/19/wicket-1.5.15-released.html">Apache Wicket 1.5.15</a></li>
   <li><a href="/news/2016/02/19/wicket-6.22.0-released.html">Apache Wicket 6.22.0</a></li>
   <li><a href="/news/2016/01/20/wicket-7.2.0-released.html">Apache Wicket 7.2.0</a></li>
 </ul>

 <p>Credit:
 This issue was reported by Tobias Gierke!</p>

 <p>Apache Wicket Team</p>

 </div>


         </section>
     </div>
 </main>

         <footer>
             <div class="l-container">
     <div class="left">
         <img src="/img/asf_logo_url.svg" style="height:90px; float:left; margin-right:10px;">
         <div style="margin-top:12px;">Copyright © 2021 — The Apache Software Foundation. Apache Wicket, Wicket, Apache, the Apache feather logo, and the Apache Wicket project logo are trademarks of The Apache Software Foundation. All other marks mentioned may be trademarks or registered trademarks of their respective owners.</div>
     </div>
 </div>

         </footer>
     </body>
 </html>
	<!DOCTYPE html>
	<html>
	<head>
	<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
	<meta charset="utf-8">



	<title>CVE-2015-5347 Apache Wicket XSS vulnerability \| Apache Wicket</title>
	<meta name="viewport" content="width=device-width, initial-scale=1" />

	<link rel="shortcut icon" href="/favicon.ico" type="image/vnd.microsoft.icon" />
	<link rel="stylesheet" href="/css/style.css" type="text/css" media="screen" />
	<link href="//maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css" rel="stylesheet" />

	<script src="//code.jquery.com/jquery-1.11.3.min.js"></script>


	</head>
	<body class="">
	<div class="header default">
	<div class="l-container">

	<nav class="mainmenu">
	<div class="nav-logo">
	<a href="/"><img src="/img/logo-apachewicket.svg" alt="Apache Wicket"></a>
	</div>

	<div class="nav-container">





	<!-- /start/quickstart.html \|\| /news/2016/03/01/cve-2015-5347.html -->



	<a href="/start/quickstart.html" class=" nav-items">Quick Start</a>





	<!-- /start/download.html \|\| /news/2016/03/01/cve-2015-5347.html -->



	<a href="/start/download.html" class=" nav-items">Download</a>





	<!-- /learn \|\| /news/2016/03/01/cve-2015-5347.html -->



	<a href="/learn" class=" nav-items">Documentation</a>





	<!-- /help \|\| /news/2016/03/01/cve-2015-5347.html -->



	<a href="/help" class=" nav-items">Support</a>





	<!-- /contribute \|\| /news/2016/03/01/cve-2015-5347.html -->



	<a href="/contribute" class=" nav-items">Contribute</a>





	<!-- /community \|\| /news/2016/03/01/cve-2015-5347.html -->



	<a href="/community" class=" nav-items">Community</a>





	<!-- /apache \|\| /news/2016/03/01/cve-2015-5347.html -->



	<a href="/apache" class=" nav-items">Apache</a>

	</div>
	<div class="nav-container ">
	<a href="https://github.com/apache/wicket" target="_blank"><i class="fa fa-github nav-items"></i></a>
	<a href="https://twitter.com/apache_wicket" target="_blank"><i class="fa fa-twitter nav-items"></i></a>
	<a href="https://builtwithwicket.tumblr.com" target="_blank"><i class="fa fa-tumblr nav-items"></i></a>
	</div>
	</nav>

	</div>
	</div>
	<main>
	<div class="l-container">
	<header class="l-full preamble">
	<h1>CVE-2015-5347 Apache Wicket XSS vulnerability</h1>



	</header>
	<section class="toc left post ">
	<div id="toc" class="toc"><div id="toc-title"><h2>Table of Contents</h2></div><ul><li class="toc--level-1 toc--section-1"><a href="#the-application-developers-are-recommended-to-upgrade-to"><span class="toc-number">1</span> <span class="toc-text">The application developers are recommended to upgrade to:</span></a></li></ul></div>
	</section>
	<section>
	<div class="l-full">
	<p class="meta">01 Mar 2016</p>
	<p>Severity: Important</p>

	<p>Vendor:
	The Apache Software Foundation</p>

	<p>Versions Affected:
	Apache Wicket 1.5.x, 6.x and 7.x</p>

	<p>Description:</p>

	<p>It is possible for JavaScript statements to break out of a ModalWindow’s
	title - only quotes are escaped in the JavaScript settings object, allowing JavaScript
	to be injected into the markup.</p>

	<p>This might pose a security threat if the written JavaScript contains user provided data.</p>

	<p>The title is now escaped by default, this can be disabled explicitly via
	modalWindow.setEscapeModelStrings(false).</p>

	<h2 id="the-application-developers-are-recommended-to-upgrade-to">The application developers are recommended to upgrade to:</h2>

	<ul>
	<li><a href="/news/2016/02/19/wicket-1.5.15-released.html">Apache Wicket 1.5.15</a></li>
	<li><a href="/news/2016/02/19/wicket-6.22.0-released.html">Apache Wicket 6.22.0</a></li>
	<li><a href="/news/2016/01/20/wicket-7.2.0-released.html">Apache Wicket 7.2.0</a></li>
	</ul>

	<p>Credit:
	This issue was reported by Tobias Gierke!</p>

	<p>Apache Wicket Team</p>

	</div>


	</section>
	</div>
	</main>

	<footer>
	<div class="l-container">
	<div class="left">
	<img src="/img/asf_logo_url.svg" style="height:90px; float:left; margin-right:10px;">
	<div style="margin-top:12px;">Copyright © 2021 — The Apache Software Foundation. Apache Wicket, Wicket, Apache, the Apache feather logo, and the Apache Wicket project logo are trademarks of The Apache Software Foundation. All other marks mentioned may be trademarks or registered trademarks of their respective owners.</div>
	</div>
	</div>

	</footer>
	</body>
	</html>