Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Wicket 7.16.0, 8.8.0 and 9.0.0-M5
Description:
By crafting a special URL it is possible to make Wicket deliver
unprocessed HTML templates.
This would allow an attacker to see possibly sensitive information
inside a HTML template that is usually removed during rendering.
For example if there are credentials in the markup which are never
supposed to be visible to the client:
<wicket:remove>
some secret
</wicket:remove>
The application developers are recommended to upgrade to:
- Apache Wicket 7.17.0
<http://wicket.apache.org/news/2020/07/20/wicket-7.17.0-released.html>
- Apache Wicket 8.9.0
<http://wicket.apache.org/news/2020/07/15/wicket-8.9.0-released.html>
- Apache Wicket 9.0.0
<http://wicket.apache.org/news/2020/07/15/wicket-9-released.html>
Credit:
The vulnerability has been found and reported by Mariusz Popławski from
Afine.
Apache Wicket Team
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org