content/2013/03/03/cve-2012-5636.html - wicket-site - Git at Google

 <!DOCTYPE html>
 <html>
 <head>
     <title>Apache Wicket - CVE-2012-5636 - Apache Wicket XSS vulnerability</title>

 	<link rel="stylesheet" href="/css/screen.css" type="text/css" media="screen" />

     <!--[if lt ie 7]>
 	<link rel="stylesheet" href="/css/ie.css" type="text/css" media="screen" />
     <![endif]-->
     <link rel="shortcut icon" href="/favicon.ico" type="image/vnd.microsoft.icon" />
 	<link rel="alternate" type="application/atom+xml" href="/atom.xml" />
 	<meta http-equiv="content-type" content="text/html;charset=utf-8" />
 </head>
 <body>
 <div id="container">
     <div id="content">
         <div id="header"><a href="/"><h1 id="logo"><span>Apache Wicket</span></h1></a></div>
 		<div id="navigation">
 	<h5><a name="Navigation-Wicket"></a>Meet Wicket</h5>
 	<ul>
 		<li>
 			<a href="/" title="Index">Home</a>
 		</li>
 		<li>
 			<a href="/meet/introduction.html" title="Introduction">Introduction</a>
 		</li>
 		<li>
 			<a href="/meet/features.html" title="Features">Features</a>
 		</li>
 		<li>
 			<a href="/meet/buzz.html" title="Buzz">Buzz</a>
 		</li>
 		<li>
 			<a href="/meet/vision.html" title="Vision">Vision</a>
 		</li>
 		<li>
 			<a href="/meet/blogs.html" title="Blogs">Blogs</a>
 		</li>
 	</ul>
 	<h5>
 		<a name="Navigation-GettingStarted" id="Navigation-GettingStarted"></a>Get Started
 	</h5>
 	<ul>
 		<li>
 			<a href="/start/download.html" title="Download Wicket">Download Wicket</a>
 		</li>
 		<li>
 			<a href="/start/quickstart.html" title="Getting started via a Maven Archetype">Quickstart</a>
 		</li>
 		<li>
 			<a href="http://www.jweekend.com/dev/LegUp" rel="nofollow">More archetypes</a>
 		</li>
 		<li>
 			<a href="/help" title="Get help">Get help</a>
 		</li>
 		<li>
 			<a href="/help/email.html" title="Wicket Mailing Lists">Mailing Lists</a>
 		</li>
 	</ul>
 	<h5>
 		<a name="Navigation-Documentation" id="Navigation-Documentation"></a>Learn
 	</h5>
 	<ul>
 		<li>
 			<a href="/start/userguide.html" title="User Guide">User Guide</a>
 		</li>
 		<li>
 			<a href="/learn/examples" title="Examples">Examples</a>
 		</li>
 		<li>
 			<a href="http://www.wicket-library.com/wicket-examples/compref/">Components</a>
 		</li>
 		<li>
 			<a href="/learn/projects/" title="Projects extending basic Wicket">Projects</a>
 		</li>
 		<li>
 			<a href="https://cwiki.apache.org/confluence/display/WICKET">Wiki</a>
 		</li>
 		<li>
 			<a href="https://cwiki.apache.org/confluence/display/WICKET/Reference+library">Reference guide</a>
 		</li>
 		<li>
 			<a href="/learn/books" title="Books">Books</a>
 		</li>
 		<li>
 			<a href="/learn/ides.html" title="IDEs">IDEs</a>
 		</li>
 	</ul>
 	<h5>
 		<a name="Navigation-Releases" id="Navigation-Releases"></a>Releases
 	</h5>
 	<ul>
 		<li>
 			<a href="http://www.apache.org/dyn/closer.cgi/wicket/6.20.0">Wicket 6.20</a>
 		</li>
 		<li>
 			<a href="http://www.apache.org/dyn/closer.cgi/wicket/1.5.13">Wicket 1.5</a>
 		</li>
 		<li>
 			<a href="http://www.apache.org/dyn/closer.cgi/wicket/1.4.23">Wicket 1.4</a>
 		</li>
 		<li>
 			<a href="http://www.apache.org/dyn/closer.cgi/wicket/1.3.7">Wicket 1.3</a>
 		</li>
 		<li>
 			<a href="http://wicket.sf.net/wicket-1.2" class="external-link" rel="nofollow">Wicket 1.2</a>
 		</li>
 		<li>
 			<a href="http://wicket.sf.net/wicket-1.1" class="external-link" rel="nofollow">Wicket 1.1</a>
 		</li>
 		<li>
 			<a href="http://wicket.sf.net/wicket-1.0" class="external-link" rel="nofollow">Wicket 1.0</a>
 		</li>
 	</ul>
 	<h5>
 		<a name="Navigation-Docs" id="Navigation-Docs"></a>API Docs
 	</h5>
 	<ul>
 		<li>
 			<a href="http://ci.apache.org/projects/wicket/apidocs/6.x/" title="JavaDocs of Apache Wicket 6.x">Wicket 6.x</a>
 		</li>
 		<li>
 			<a href="http://ci.apache.org/projects/wicket/apidocs/1.5.x/" title="JavaDocs of Apache Wicket 1.5.x">Wicket 1.5</a>
 		</li>
 		<li>
 			<a href="http://ci.apache.org/projects/wicket/apidocs/1.4.x" title="JavaDocs of Apache Wicket 1.4.x">Wicket 1.4</a>
 		</li>
 		<li>
 			<a href="http://ci.apache.org/projects/wicket/apidocs/1.3.x" title="JavaDocs of Apache Wicket 1.3.x">Wicket 1.3</a>
 		</li>
 	</ul>
 	<h5>Wicket 7.x</h5>
 	<ul>
 		<li>
 			<a href="http://www.apache.org/dyn/closer.cgi/wicket/7.0.0-M6">Download M6</a>
 		</li>
 		<li>
 			<a href="https://cwiki.apache.org/confluence/display/WICKET/Migration+to+Wicket+7.0">Migration guide</a>
 		</li>
 		<li>
 			<a href="http://ci.apache.org/projects/wicket/apidocs/7.x/" title="JavaDocs of Apache Wicket 7.x">API Docs 7.x</a>
 		</li>
 	</ul>
 	<h5>
 		<a name="Navigation-Developers" id="Navigation-Developers"></a>Contribute
 	</h5>
 	<ul>
 		<li>
 			<a href="/contribute/write.html" title="Writing documentation">Writing docs</a>
 		</li>
 		<li>
 			<a href="/contribute/build.html" title="Building from SVN">Build Wicket</a>
 		</li>
 		<li>
 			<a href="/contribute/patch.html" title="Provide a patch">Provide a patch</a>
 		</li>
 		<li>
 			<a href="/contribute/release.html" title="Release Wicket">Release Wicket</a>
 		</li>
 		<li>
 			<a href="https://fisheye6.atlassian.com/browse/wicket-git" title="Git Overview" class="external-link" rel="nofollow">Fisheye</a>
 		</li>
 	</ul>
 	<h5>
 		<a name="Navigation-Apache" id="Navigation-Apache"></a>Apache
 	</h5>
 	<ul>
 		<li>
 			<a href="http://www.apache.org/" class="external-link" rel="nofollow">Apache</a>
 		</li>
 		<li>
 			<a href="http://www.apache.org/licenses/" class="external-link" rel="nofollow">License</a>
 		</li>
 		<li>
 			<a href="http://www.apache.org/foundation/sponsorship.html" class="external-link" rel="nofollow">Sponsorship</a>
 		</li>
 		<li>
 			<a href="http://apache.org/foundation/thanks.html" class="external-link" rel="nofollow">Thanks</a>
 		</li>
 		<li>
 			<a href="/apache/friends.html" title="Apache projects using Wicket">Friends</a>
 		</li>
 	</ul>
 </div>

 		<div id="contentbody">
 			<h1>CVE-2012-5636 - Apache Wicket XSS vulnerability</h1>
 			<p>Severity: Important</p>

 <p>Vendor:
 The Apache Software Foundation</p>

 <p>Versions Affected:
 Apache Wicket 1.4.x, 1.5.x and 1.6.x</p>

 <p>Description:
 It is possible for JavaScript statements to break out of a &lt;script&gt; tag in the rendered response.
 This might pose a security threat if the written JavaScript contains user provided data.</p>

 <p>This vulnerability is fixed in
 <a href="https://wicket.apache.org/2012/12/14/wicket-6.4.0-released.html">Apache Wicket 6.4.0</a>,
 <a href="https://wicket.apache.org/2013/02/26/wicket-1.5.10-released.html">Apache Wicket 1.5.10</a> and
 Apache Wicket 1.4.22.</p>

 <p>Credit:
 This issue was reported by Michael Riedel.</p>

 		</div>
         <div id="clearer"></div>
 		<div id="footer"><span>
 Copyright &copy; 2015 &mdash; The Apache Software Foundation. Apache Wicket,
 Wicket, Apache, the Apache feather logo, and the Apache Wicket project logo
 are trademarks of The Apache Software Foundation. All other marks mentioned
 may be trademarks or registered trademarks of their respective owners.
 </span></div>

     </div>
 </div>
 </body>
 </html>
	<!DOCTYPE html>
	<html>
	<head>
	<title>Apache Wicket - CVE-2012-5636 - Apache Wicket XSS vulnerability</title>

	<link rel="stylesheet" href="/css/screen.css" type="text/css" media="screen" />

	<!--[if lt ie 7]>
	<link rel="stylesheet" href="/css/ie.css" type="text/css" media="screen" />
	<![endif]-->
	<link rel="shortcut icon" href="/favicon.ico" type="image/vnd.microsoft.icon" />
	<link rel="alternate" type="application/atom+xml" href="/atom.xml" />
	<meta http-equiv="content-type" content="text/html;charset=utf-8" />
	</head>
	<body>
	<div id="container">
	<div id="content">
	<div id="header"><a href="/"><h1 id="logo"><span>Apache Wicket</span></h1></a></div>
	<div id="navigation">
	<h5><a name="Navigation-Wicket"></a>Meet Wicket</h5>
	<ul>
	<li>
	<a href="/" title="Index">Home</a>
	</li>
	<li>
	<a href="/meet/introduction.html" title="Introduction">Introduction</a>
	</li>
	<li>
	<a href="/meet/features.html" title="Features">Features</a>
	</li>
	<li>
	<a href="/meet/buzz.html" title="Buzz">Buzz</a>
	</li>
	<li>
	<a href="/meet/vision.html" title="Vision">Vision</a>
	</li>
	<li>
	<a href="/meet/blogs.html" title="Blogs">Blogs</a>
	</li>
	</ul>
	<h5>
	<a name="Navigation-GettingStarted" id="Navigation-GettingStarted"></a>Get Started
	</h5>
	<ul>
	<li>
	<a href="/start/download.html" title="Download Wicket">Download Wicket</a>
	</li>
	<li>
	<a href="/start/quickstart.html" title="Getting started via a Maven Archetype">Quickstart</a>
	</li>
	<li>
	<a href="http://www.jweekend.com/dev/LegUp" rel="nofollow">More archetypes</a>
	</li>
	<li>
	<a href="/help" title="Get help">Get help</a>
	</li>
	<li>
	<a href="/help/email.html" title="Wicket Mailing Lists">Mailing Lists</a>
	</li>
	</ul>
	<h5>
	<a name="Navigation-Documentation" id="Navigation-Documentation"></a>Learn
	</h5>
	<ul>
	<li>
	<a href="/start/userguide.html" title="User Guide">User Guide</a>
	</li>
	<li>
	<a href="/learn/examples" title="Examples">Examples</a>
	</li>
	<li>
	<a href="http://www.wicket-library.com/wicket-examples/compref/">Components</a>
	</li>
	<li>
	<a href="/learn/projects/" title="Projects extending basic Wicket">Projects</a>
	</li>
	<li>
	<a href="https://cwiki.apache.org/confluence/display/WICKET">Wiki</a>
	</li>
	<li>
	<a href="https://cwiki.apache.org/confluence/display/WICKET/Reference+library">Reference guide</a>
	</li>
	<li>
	<a href="/learn/books" title="Books">Books</a>
	</li>
	<li>
	<a href="/learn/ides.html" title="IDEs">IDEs</a>
	</li>
	</ul>
	<h5>
	<a name="Navigation-Releases" id="Navigation-Releases"></a>Releases
	</h5>
	<ul>
	<li>
	<a href="http://www.apache.org/dyn/closer.cgi/wicket/6.20.0">Wicket 6.20</a>
	</li>
	<li>
	<a href="http://www.apache.org/dyn/closer.cgi/wicket/1.5.13">Wicket 1.5</a>
	</li>
	<li>
	<a href="http://www.apache.org/dyn/closer.cgi/wicket/1.4.23">Wicket 1.4</a>
	</li>
	<li>
	<a href="http://www.apache.org/dyn/closer.cgi/wicket/1.3.7">Wicket 1.3</a>
	</li>
	<li>
	<a href="http://wicket.sf.net/wicket-1.2" class="external-link" rel="nofollow">Wicket 1.2</a>
	</li>
	<li>
	<a href="http://wicket.sf.net/wicket-1.1" class="external-link" rel="nofollow">Wicket 1.1</a>
	</li>
	<li>
	<a href="http://wicket.sf.net/wicket-1.0" class="external-link" rel="nofollow">Wicket 1.0</a>
	</li>
	</ul>
	<h5>
	<a name="Navigation-Docs" id="Navigation-Docs"></a>API Docs
	</h5>
	<ul>
	<li>
	<a href="http://ci.apache.org/projects/wicket/apidocs/6.x/" title="JavaDocs of Apache Wicket 6.x">Wicket 6.x</a>
	</li>
	<li>
	<a href="http://ci.apache.org/projects/wicket/apidocs/1.5.x/" title="JavaDocs of Apache Wicket 1.5.x">Wicket 1.5</a>
	</li>
	<li>
	<a href="http://ci.apache.org/projects/wicket/apidocs/1.4.x" title="JavaDocs of Apache Wicket 1.4.x">Wicket 1.4</a>
	</li>
	<li>
	<a href="http://ci.apache.org/projects/wicket/apidocs/1.3.x" title="JavaDocs of Apache Wicket 1.3.x">Wicket 1.3</a>
	</li>
	</ul>
	<h5>Wicket 7.x</h5>
	<ul>
	<li>
	<a href="http://www.apache.org/dyn/closer.cgi/wicket/7.0.0-M6">Download M6</a>
	</li>
	<li>
	<a href="https://cwiki.apache.org/confluence/display/WICKET/Migration+to+Wicket+7.0">Migration guide</a>
	</li>
	<li>
	<a href="http://ci.apache.org/projects/wicket/apidocs/7.x/" title="JavaDocs of Apache Wicket 7.x">API Docs 7.x</a>
	</li>
	</ul>
	<h5>
	<a name="Navigation-Developers" id="Navigation-Developers"></a>Contribute
	</h5>
	<ul>
	<li>
	<a href="/contribute/write.html" title="Writing documentation">Writing docs</a>
	</li>
	<li>
	<a href="/contribute/build.html" title="Building from SVN">Build Wicket</a>
	</li>
	<li>
	<a href="/contribute/patch.html" title="Provide a patch">Provide a patch</a>
	</li>
	<li>
	<a href="/contribute/release.html" title="Release Wicket">Release Wicket</a>
	</li>
	<li>
	<a href="https://fisheye6.atlassian.com/browse/wicket-git" title="Git Overview" class="external-link" rel="nofollow">Fisheye</a>
	</li>
	</ul>
	<h5>
	<a name="Navigation-Apache" id="Navigation-Apache"></a>Apache
	</h5>
	<ul>
	<li>
	<a href="http://www.apache.org/" class="external-link" rel="nofollow">Apache</a>
	</li>
	<li>
	<a href="http://www.apache.org/licenses/" class="external-link" rel="nofollow">License</a>
	</li>
	<li>
	<a href="http://www.apache.org/foundation/sponsorship.html" class="external-link" rel="nofollow">Sponsorship</a>
	</li>
	<li>
	<a href="http://apache.org/foundation/thanks.html" class="external-link" rel="nofollow">Thanks</a>
	</li>
	<li>
	<a href="/apache/friends.html" title="Apache projects using Wicket">Friends</a>
	</li>
	</ul>
	</div>

	<div id="contentbody">
	<h1>CVE-2012-5636 - Apache Wicket XSS vulnerability</h1>
	<p>Severity: Important</p>

	<p>Vendor:
	The Apache Software Foundation</p>

	<p>Versions Affected:
	Apache Wicket 1.4.x, 1.5.x and 1.6.x</p>

	<p>Description:
	It is possible for JavaScript statements to break out of a <script> tag in the rendered response.
	This might pose a security threat if the written JavaScript contains user provided data.</p>

	<p>This vulnerability is fixed in
	<a href="https://wicket.apache.org/2012/12/14/wicket-6.4.0-released.html">Apache Wicket 6.4.0</a>,
	<a href="https://wicket.apache.org/2013/02/26/wicket-1.5.10-released.html">Apache Wicket 1.5.10</a> and
	Apache Wicket 1.4.22.</p>

	<p>Credit:
	This issue was reported by Michael Riedel.</p>

	</div>
	<div id="clearer"></div>
	<div id="footer"><span>
	Copyright © 2015 — The Apache Software Foundation. Apache Wicket,
	Wicket, Apache, the Apache feather logo, and the Apache Wicket project logo
	are trademarks of The Apache Software Foundation. All other marks mentioned
	may be trademarks or registered trademarks of their respective owners.
	</span></div>

	</div>
	</div>
	</body>
	</html>