oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2024-36522: Apache Wicket: Remote code execution via XSLT injection

From: Martin Tzvetanov Grigorov <mgrigorov () apache org>
Date: Fri, 12 Jul 2024 12:12:11 +0000
Severity: moderate

Affected versions:

- Apache Wicket 10.0.0-M1 through 10.0.0
- Apache Wicket 9.0.0 through 9.17.0
- Apache Wicket 8.0.0 through 8.15.0

Description:

The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when 
processing input from an untrusted source without validation.
Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue.

Credit:

cigar (finder)

References:

https://wicket.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-36522
Previous By Date Next
Previous By Thread Next

Current thread: