8 matches found
Session Fixation
org.apache.wicket, wicket-auth-roles is vulnerable to a session fixation. The vulnerability is due to the missing invocation of the Servlet HTTP request method changeSessionId after session binding, which allows an attacker to exploit session fixation by reusing a predefined session ID to hijack ...
EUVD-2026-27554
Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version...
GHSA-QPJW-P3JG-59J6 Apache Wicket has a Session Fixation issue
Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version...
Apache Wicket has a Session Fixation issue
Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version...
CVE-2026-40010
Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version...
CVE-2026-40010
Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version...
CVE-2026-40010
CVE-2026-40010 describes a session-fixation risk in Apache Wicket caused by missing invocation of Servlet http web request method changeSessionId after session binding. Affected versions are Wicket 8.0.0–8.17.0, 9.0.0, and 10.0.0–10.8.0. The issue can be mitigated by upgrading to version 10.9.0, ...
CVE-2026-40010 Apache Wicket: possible session fixation using AuthenticatedWebSession
Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version...