Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: Apache Wicket 1.4.x
Apache Wicket 1.3.x and 1.5-RCx are not affected
Description: With multi window support application configuration and special query parameters it is possible to execute any kind of JavaScript on a site running with the affected versions.
Mitigation: Either disable multi window support with
{% highlight java %} public class MyApp extends WebApplication { public void init() { super.init(); getPageSettings.setAutomaticMultiWindowSupport(false); } } {% endhighlight %}
or upgrade to Apache Wicket 1.4.18 or Apache Wicket 1.5-RC5.1
Credit: This issue was discovered by Sven Krewitt of TÜV Rheinland i-sec GmbH.