Hi, Wicket 6.x is no more supported. Wicket 7.x is the current security maintaince branch.
Your options are: - patch locally - upgrade to a newer version On Wed, Aug 10, 2022 at 6:17 PM Daniel Stoch <daniel.st...@gmail.com> wrote: > Hi, > > Is there any JIRA issue for this? I tried to find but none issue in Wicket > JIRA points directly to CVE-2020-11976. > One possible candidate to me is WICKET-6792 :). Am I right? If yes, this is > already fixed also for Wicket 6.31.0, can you release this version? > > -- > Best regards, > Daniel Stoch > > > pon., 10 sie 2020 o 18:23 <svenme...@apache.org> napisał(a): > > > Severity: Important > > > > Vendor: > > The Apache Software Foundation > > > > Versions Affected: > > Apache Wicket 7.16.0, 8.8.0 and 9.0.0-M5 > > > > Description: > > > > By crafting a special URL it is possible to make Wicket deliver > > unprocessed HTML templates. > > This would allow an attacker to see possibly sensitive information > > inside a HTML template that is usually removed during rendering. > > For example if there are credentials in the markup which are never > > supposed to be visible to the client: > > > > <wicket:remove> > > some secret > > </wicket:remove> > > > > The application developers are recommended to upgrade to: > > - Apache Wicket 7.17.0 > > <http://wicket.apache.org/news/2020/07/20/wicket-7.17.0-released.html> > > - Apache Wicket 8.9.0 > > <http://wicket.apache.org/news/2020/07/15/wicket-8.9.0-released.html> > > - Apache Wicket 9.0.0 > > <http://wicket.apache.org/news/2020/07/15/wicket-9-released.html> > > > > Credit: > > The vulnerability has been found and reported by Mariusz Popławski from > > Afine. > > > > Apache Wicket Team > > >