Lucene search
K
ApacheWicket

22 matches found

CVE
CVE
added 2025/01/23 8:37 a.m.304 views

CVE-2024-53299

The incident concerns CVE-2024-53299 in Apache Wicket. Affects the core of Apache Wicket 7.0.0 on any platform; the vulnerability enables an attacker to cause a denial of service by issuing multiple requests to server resources. The issue is mitigated by upgrading to non-7.x releases (recommended...

6.5CVSS6.5AI score0.01458EPSS
CVE
CVE
added 2020/08/11 6:15 p.m.96 views

CVE-2020-11976

CVE-2020-11976 describes an information-disclosure vulnerability in Apache Wicket: by using a specially crafted URL an attacker can cause Wicket to deliver unprocessed HTML templates, potentially exposing sensitive data embedded in templates. Affected versions are 7.16.0, 8.8.0, and 9.0.0-M5. The...

7.5CVSS7.2AI score0.03759EPSS
CVE
CVE
added 2024/07/12 12:13 p.m.89 views

CVE-2024-36522

The CVE-2024-36522 issue affects Apache Wicket’s XSLTResourceStream.java default configuration, where processing input from untrusted sources can lead to remote code execution via XSLT injection. Concretely, the vulnerability centers on the default parsing/stream handling path, enabling an attack...

9.8CVSS10AI score0.02127EPSS
CVE
CVE
added 2024/03/19 11:7 a.m.85 views

CVE-2024-27439

CVE-2024-27439 affects Apache Wicket. An error in the evaluation of the fetch metadata headers could allow bypassing CSRF protections. The issue is present in Wicket releases 9.1.0 through 9.16.0 and the milestone 10.0 series; Wicket 8.x is not affected. Upgrading to Wicket 9.17.0 or 10.0.0 fixes...

6.5CVSS6.8AI score0.00681EPSS
CVE
CVE
added 2012/09/19 7:0 p.m.72 views

CVE-2012-3373

CVE-2012-3373 affects Apache Wicket 1.4.x and 1.5.x. The vulnerability is XSS via a manipulated URL parameter (encoded null byte) in an Ajax link, allowing injection of arbitrary script/HTML in Wicket apps. Root cause: handling of a %00 sequence in the Ajax link URL. Impact: remote attacker can e...

4.3CVSS5.8AI score0.03279EPSS
CVE
CVE
added 2021/05/25 8:5 a.m.72 views

CVE-2021-23937

The CVE-2021-23937 issue is a DNS proxy/amplification vulnerability in Apache Wicket’s WebClientInfo. The root cause is failure to sanitize the X-Forwarded-For header, allowing arbitrary DNS lookups from the server. Affected versions include Wicket 9.x up to 9.2.0 and prior, 8.x up to 8.11.0 and ...

7.5CVSS7.5AI score0.0426EPSS
CVE
CVE
added 2016/04/12 5:0 p.m.64 views

CVE-2015-5347

Apache Wicket is affected by an XSS in the getWindowOpenJavaScript function within ModalWindow (org.apache.wicket.extensions.ajax.markup.html.modal.ModalWindow). The vulnerability allows a remote attacker to inject arbitrary script/HTML through the ModalWindow title. Affected versions are 1.5.x p...

6.1CVSS6AI score0.08207EPSS
CVE
CVE
added 2017/07/14 8:0 p.m.62 views

CVE-2016-6793

The CVE-2016-6793 entry affects Apache Wicket DiskFileItem in Wicket 6.x (before 6.25.0) and 1.5.x (before 1.5.17). The vulnerability allows remote attackers to cause a denial of service (infinite loop) and to write, move, and delete files with the permissions of DiskFileItem. If run on a Java VM...

9.1CVSS9.3AI score0.08464EPSS
CVE
CVE
added 2012/03/23 6:0 p.m.59 views

CVE-2012-1089

CVE-2012-1089 affects Apache Wicket 1.4.x (before 1.4.20) and 1.5.x (before 1.5.5). A directory traversal flaw allows remote attackers to read arbitrary files by using a relative path in a URL for a Wicket resource that corresponds to a null package. The issue impacts web applications using vulne...

5CVSS6.9AI score0.05518EPSS
CVE
CVE
added 2017/10/30 2:0 p.m.56 views

CVE-2014-3526

Apache Wicket is vulnerable to information disclosure in versions prior to 1.5.12, 6.x prior to 6.17.0, and 7.x prior to 7.0.0-M3. The issue allows remote attackers to obtain sensitive information via identifiers used for storing page markup during temporary user sessions. Connected sources confi...

7.5CVSS7.2AI score0.02276EPSS
CVE
CVE
added 2012/03/23 6:0 p.m.55 views

CVE-2012-0047

The CVE affects Apache Wicket 1.4.x, vulnerable to XSS via the wicket:pageMapName request parameter. The root cause is improper handling of this parameter, enabling remote script/HTML injection. Affected versions: 1.4.x prior to 1.4.20. The vulnerability is mitigated by upgrading to Apache Wicket...

4.3CVSS5.9AI score0.03002EPSS
CVE
CVE
added 2017/09/15 8:0 p.m.55 views

CVE-2014-7808

CVE-2014-7808 affects Apache Wicket (versions prior to 1.5.13, 6.x prior to 6.19.0, and 7.x prior to 7.0.0-M5). The issue arises from using CryptoMapper as the default encryption provider, which can make it easier for attackers to defeat cryptographic protection and predict encrypted URLs. Remedi...

7.5CVSS7.5AI score0.01107EPSS
CVE
CVE
added 2017/10/02 1:0 p.m.55 views

CVE-2016-6806

CVE-2016-6806 affects Apache Wicket 6.x prior to 6.25.0, 7.x prior to 7.5.0, and 8.0.0-M1, where CSRF protection could miss some cross-origin requests because only the Origin header was checked. The mitigation is to also validate the Referer header when Origin is absent and ensure all server-side...

8.8CVSS8.6AI score0.00822EPSS
CVE
CVE
added 2017/10/02 1:0 p.m.52 views

CVE-2014-0043

In Apache Wicket, versions 1.5.10 and 6.13.0 are vulnerable to an information-check flaw: by requesting special Wicket URLs, an attacker can determine whether a third-party library with a known vulnerability is present in the classpath. The underlying issue is an information-disclosure-like check...

5.3CVSS5.2AI score0.03012EPSS
CVE
CVE
added 2011/08/29 3:0 p.m.51 views

CVE-2011-2712

CVE-2011-2712 is a cross-site scripting (XSS) vulnerability affecting Apache Wicket 1.4.x prior to 1.4.18 when setAutomaticMultiWindowSupport is enabled. The root cause is the application’s multi-window support configuration enabling injection of arbitrary JavaScript/HTML via unspecified paramete...

2.6CVSS5.9AI score0.0328EPSS
CVE
CVE
added 2014/02/10 11:0 p.m.51 views

CVE-2013-2055

The CVE-2013-2055 issue affects Apache Wicket versions: 1.4.x before 1.4.23, 1.5.x before 1.5.11, and 6.x before 6.8.0. The vulnerability allows remote attackers to read sensitive information by triggering raw HTML templates to render outside wicket:panel markup, causing information disclosure. N...

5CVSS6.1AI score0.03188EPSS
CVE
CVE
added 2017/10/30 7:0 p.m.50 views

CVE-2012-5636

CVE-2012-5636 affects Apache Wicket: vulnerable in Wicket 1.4.x < 1.4.22, 1.5.x < 1.5.10, and 6.x < 6.4.0. It is a cross-site scripting (XSS) flaw that could allow remote attackers to inject arbitrary web script or HTML via vectors related to [removed] tags in a rendered response. Connec...

6.1CVSS5.9AI score0.03095EPSS
CVE
CVE
added 2016/04/12 5:0 p.m.50 views

CVE-2015-7520

Affected software: Apache Wicket. Vulnerable components: RadioGroup and CheckBoxMultipleChoice classes. Versions impacted: 1.5.x before 1.5.15; 6.x before 6.22.0; 7.x before 7.2.0. Issue: Multiple XSS vulnerabilities allow remote attackers to inject arbitrary web script or HTML through a crafted ...

6.1CVSS5.9AI score0.05188EPSS
CVE
CVE
added 2026/05/06 8:34 a.m.27 views

CVE-2026-40010

CVE-2026-40010 describes a session-fixation risk in Apache Wicket caused by missing invocation of Servlet http web request method changeSessionId after session binding. Affected versions are Wicket 8.0.0–8.17.0, 9.0.0, and 10.0.0–10.8.0. The issue can be mitigated by upgrading to version 10.9.0, ...

9.1CVSS5.7AI score0.00379EPSS
CVE
CVE
added 2026/05/06 8:34 a.m.25 views

CVE-2026-42509

The CVE-2026-42509 entry covers an XSS vulnerability in Apache Wicket due to Improper Neutralization of Input During Web Page Generation. Affected versions are Apache Wicket 8.0.0 through 8.17.0, 9.0.0, and 10.0.0 through 10.8.0. The issue’s fix is to upgrade to version 10.9.0, which resolves the...

6.1CVSS5.8AI score0.00357EPSS
CVE
CVE
added 2026/05/06 8:28 a.m.25 views

CVE-2026-43975

CVE-2026-43975 affects Apache Wicket via the FolderUploadsFileManager, which fails to validate or sanitize the uploadFieldId parameter or the clientFileName when constructing file paths. This can let an unauthenticated attacker write files outside the intended upload directory or read files from ...

6.5CVSS5.9AI score0.00732EPSS
CVE
CVE
added 2026/05/06 8:31 a.m.20 views

CVE-2026-43646

CVE-2026-43646 affects Apache Wicket versions 8.0.0–8.17.0, 9.0.0–9.22.0, and 10.0.0–10.8.0. It corresponds to a vulnerability where crafted URLs can bypass PackageResourceGuard, leading to exposure of sensitive information to an unauthorized actor. The recommended fix is upgrading to version 10....

7.5CVSS5.8AI score0.00394EPSS