| <!DOCTYPE html> |
| <html> |
| <head> |
| <meta charset="utf-8"> |
| <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> |
| <title>CVE-2012-5636 - Apache Wicket XSS vulnerability | Apache Wicket</title> |
| <meta charset="utf8"> |
| <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> |
| <meta name="viewport" content="width=device-width, initial-scale=1" /> |
| |
| <link rel="shortcut icon" href="/favicon.ico" type="image/vnd.microsoft.icon" /> |
| <link rel="stylesheet" href="/css/style.css" type="text/css" media="screen" /> |
| <link href="//maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css" rel="stylesheet" /> |
| |
| <script src="//code.jquery.com/jquery-1.11.3.min.js"></script> |
| |
| </head> |
| |
| <body class=""> |
| <div class="header default"> |
| <div class="l-container"> |
| <nav class="mainmenu"> |
| <ul> |
| <!-- /start/quickstart.html || /news/2013/03/03/cve-2012-5636.html --> |
| <li class=""><a href="/start/quickstart.html">Quick Start</a></li> |
| <!-- /start/download.html || /news/2013/03/03/cve-2012-5636.html --> |
| <li class=""><a href="/start/download.html">Download</a></li> |
| <!-- /learn || /news/2013/03/03/cve-2012-5636.html --> |
| <li class=""><a href="/learn">Documentation</a></li> |
| <!-- /help || /news/2013/03/03/cve-2012-5636.html --> |
| <li class=""><a href="/help">Support</a></li> |
| <!-- /contribute || /news/2013/03/03/cve-2012-5636.html --> |
| <li class=""><a href="/contribute">Contribute</a></li> |
| <!-- /apache || /news/2013/03/03/cve-2012-5636.html --> |
| <li class=""><a href="/apache">Apache</a></li> |
| </ul> |
| </nav> |
| <div class="logo"> |
| <a href="/"><img src="/img/logo-apachewicket-white.svg" alt="Apache Wicket"></a> |
| </div> |
| </div> |
| </div> |
| <main> |
| <div class="l-container"> |
| <header class="l-full preamble"> |
| <h1>CVE-2012-5636 - Apache Wicket XSS vulnerability</h1> |
| </header> |
| <section class="l-one-third right"> |
| </section> |
| <section class="l-two-third left"> |
| <div class="l-full"> |
| <p class="meta">03 Mar 2013</p> |
| <p>Severity: Important</p> |
| <p>Vendor: |
| The Apache Software Foundation</p> |
| <p>Versions Affected: |
| Apache Wicket 1.4.x, 1.5.x and 1.6.x</p> |
| <p>Description: |
| It is possible for JavaScript statements to break out of a <script> tag in the rendered response. |
| This might pose a security threat if the written JavaScript contains user provided data.</p> |
| <p>This vulnerability is fixed in |
| <a href="https://wicket.apache.org/2012/12/14/wicket-6.4.0-released.html">Apache Wicket 6.4.0</a>, |
| <a href="https://wicket.apache.org/2013/02/26/wicket-1.5.10-released.html">Apache Wicket 1.5.10</a> and |
| Apache Wicket 1.4.22.</p> |
| <p>Credit: |
| This issue was reported by Michael Riedel.</p> |
| </div> |
| </section> |
| </div> |
| </main> |
| <footer class="l-container"> |
| <div class="l-full"> |
| <img height="60px" src="/img/asf_logo.gif" style="float:left"> |
| Copyright © 2014 — The Apache Software Foundation. Apache Wicket, |
| Wicket, Apache, the Apache feather logo, and the Apache Wicket |
| project logo are trademarks of The Apache Software Foundation. All |
| other marks mentioned may be trademarks or registered trademarks of |
| their respective owners. |
| </div> |
| </footer> |
| </body> |
| |
| </html> |