22 matches found
CVE-2024-53299
The incident concerns CVE-2024-53299 in Apache Wicket. Affects the core of Apache Wicket 7.0.0 on any platform; the vulnerability enables an attacker to cause a denial of service by issuing multiple requests to server resources. The issue is mitigated by upgrading to non-7.x releases (recommended...
CVE-2020-11976
CVE-2020-11976 describes an information-disclosure vulnerability in Apache Wicket: by using a specially crafted URL an attacker can cause Wicket to deliver unprocessed HTML templates, potentially exposing sensitive data embedded in templates. Affected versions are 7.16.0, 8.8.0, and 9.0.0-M5. The...
CVE-2024-36522
The CVE-2024-36522 issue affects Apache Wicket’s XSLTResourceStream.java default configuration, where processing input from untrusted sources can lead to remote code execution via XSLT injection. Concretely, the vulnerability centers on the default parsing/stream handling path, enabling an attack...
CVE-2024-27439
CVE-2024-27439 affects Apache Wicket. An error in the evaluation of the fetch metadata headers could allow bypassing CSRF protections. The issue is present in Wicket releases 9.1.0 through 9.16.0 and the milestone 10.0 series; Wicket 8.x is not affected. Upgrading to Wicket 9.17.0 or 10.0.0 fixes...
CVE-2021-23937
The CVE-2021-23937 issue is a DNS proxy/amplification vulnerability in Apache Wicket’s WebClientInfo. The root cause is failure to sanitize the X-Forwarded-For header, allowing arbitrary DNS lookups from the server. Affected versions include Wicket 9.x up to 9.2.0 and prior, 8.x up to 8.11.0 and ...
CVE-2012-3373
CVE-2012-3373 affects Apache Wicket 1.4.x and 1.5.x. The vulnerability is XSS via a manipulated URL parameter (encoded null byte) in an Ajax link, allowing injection of arbitrary script/HTML in Wicket apps. Root cause: handling of a %00 sequence in the Ajax link URL. Impact: remote attacker can e...
CVE-2015-5347
Apache Wicket is affected by an XSS in the getWindowOpenJavaScript function within ModalWindow (org.apache.wicket.extensions.ajax.markup.html.modal.ModalWindow). The vulnerability allows a remote attacker to inject arbitrary script/HTML through the ModalWindow title. Affected versions are 1.5.x p...
CVE-2016-6793
The CVE-2016-6793 entry affects Apache Wicket DiskFileItem in Wicket 6.x (before 6.25.0) and 1.5.x (before 1.5.17). The vulnerability allows remote attackers to cause a denial of service (infinite loop) and to write, move, and delete files with the permissions of DiskFileItem. If run on a Java VM...
CVE-2012-1089
CVE-2012-1089 affects Apache Wicket 1.4.x (before 1.4.20) and 1.5.x (before 1.5.5). A directory traversal flaw allows remote attackers to read arbitrary files by using a relative path in a URL for a Wicket resource that corresponds to a null package. The issue impacts web applications using vulne...
CVE-2014-3526
Apache Wicket is vulnerable to information disclosure in versions prior to 1.5.12, 6.x prior to 6.17.0, and 7.x prior to 7.0.0-M3. The issue allows remote attackers to obtain sensitive information via identifiers used for storing page markup during temporary user sessions. Connected sources confi...
CVE-2014-7808
CVE-2014-7808 affects Apache Wicket (versions prior to 1.5.13, 6.x prior to 6.19.0, and 7.x prior to 7.0.0-M5). The issue arises from using CryptoMapper as the default encryption provider, which can make it easier for attackers to defeat cryptographic protection and predict encrypted URLs. Remedi...
CVE-2016-6806
CVE-2016-6806 affects Apache Wicket 6.x prior to 6.25.0, 7.x prior to 7.5.0, and 8.0.0-M1, where CSRF protection could miss some cross-origin requests because only the Origin header was checked. The mitigation is to also validate the Referer header when Origin is absent and ensure all server-side...
CVE-2014-0043
In Apache Wicket, versions 1.5.10 and 6.13.0 are vulnerable to an information-check flaw: by requesting special Wicket URLs, an attacker can determine whether a third-party library with a known vulnerability is present in the classpath. The underlying issue is an information-disclosure-like check...
CVE-2012-0047
The CVE affects Apache Wicket 1.4.x, vulnerable to XSS via the wicket:pageMapName request parameter. The root cause is improper handling of this parameter, enabling remote script/HTML injection. Affected versions: 1.4.x prior to 1.4.20. The vulnerability is mitigated by upgrading to Apache Wicket...
CVE-2011-2712
CVE-2011-2712 is a cross-site scripting (XSS) vulnerability affecting Apache Wicket 1.4.x prior to 1.4.18 when setAutomaticMultiWindowSupport is enabled. The root cause is the application’s multi-window support configuration enabling injection of arbitrary JavaScript/HTML via unspecified paramete...
CVE-2013-2055
The CVE-2013-2055 issue affects Apache Wicket versions: 1.4.x before 1.4.23, 1.5.x before 1.5.11, and 6.x before 6.8.0. The vulnerability allows remote attackers to read sensitive information by triggering raw HTML templates to render outside wicket:panel markup, causing information disclosure. N...
CVE-2012-5636
CVE-2012-5636 affects Apache Wicket: vulnerable in Wicket 1.4.x < 1.4.22, 1.5.x < 1.5.10, and 6.x < 6.4.0. It is a cross-site scripting (XSS) flaw that could allow remote attackers to inject arbitrary web script or HTML via vectors related to [removed] tags in a rendered response. Connec...
CVE-2015-7520
Affected software: Apache Wicket. Vulnerable components: RadioGroup and CheckBoxMultipleChoice classes. Versions impacted: 1.5.x before 1.5.15; 6.x before 6.22.0; 7.x before 7.2.0. Issue: Multiple XSS vulnerabilities allow remote attackers to inject arbitrary web script or HTML through a crafted ...
CVE-2026-40010
CVE-2026-40010 describes a session-fixation risk in Apache Wicket caused by missing invocation of Servlet http web request method changeSessionId after session binding. Affected versions are Wicket 8.0.0–8.17.0, 9.0.0, and 10.0.0–10.8.0. The issue can be mitigated by upgrading to version 10.9.0, ...
CVE-2026-42509
The CVE-2026-42509 entry covers an XSS vulnerability in Apache Wicket due to Improper Neutralization of Input During Web Page Generation. Affected versions are Apache Wicket 8.0.0 through 8.17.0, 9.0.0, and 10.0.0 through 10.8.0. The issue’s fix is to upgrade to version 10.9.0, which resolves the...
CVE-2026-43975
CVE-2026-43975 affects Apache Wicket via the FolderUploadsFileManager, which fails to validate or sanitize the uploadFieldId parameter or the clientFileName when constructing file paths. This can let an unauthenticated attacker write files outside the intended upload directory or read files from ...
CVE-2026-43646
CVE-2026-43646 affects Apache Wicket versions 8.0.0–8.17.0, 9.0.0–9.22.0, and 10.0.0–10.8.0. It corresponds to a vulnerability where crafted URLs can bypass PackageResourceGuard, leading to exposure of sensitive information to an unauthorized actor. The recommended fix is upgrading to version 10....