CVE-2020-11976

CVSS v3.1 7.5 (High)

CVSS v2.0 5 (Medium)

EPSS 1.27 % (86^th)

Affected Products 2

Advisories 1

By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5

Weaknesses

CWE-552: Files or Directories Accessible to External Parties

CVE Status: PUBLISHED
CNA: Apache Software Foundation
Published Date: 2020-08-11 19:15:17
(4 years ago)
Updated Date: 2023-11-07 03:15:16
(10 months ago)

Affected Products

Apache

Configuration #1

	CPE23	From	Up To
Apache Fortress 2.0.5	cpe:2.3:a:apache:fortress:2.0.5
Apache Wicket prior 7.17.0 version	cpe:2.3:a:apache:wicket		< 7.17.0
Apache Wicket from 8.0.0 version and prior 8.9.0 version	cpe:2.3:a:apache:wicket	>= 8.0.0	< 8.9.0
Apache Wicket 9.0.0 Milestone1	cpe:2.3:a:apache:wicket:9.0.0:milestone1
Apache Wicket 9.0.0 Milestone2	cpe:2.3:a:apache:wicket:9.0.0:milestone2
Apache Wicket 9.0.0 Milestone3	cpe:2.3:a:apache:wicket:9.0.0:milestone3
Apache Wicket 9.0.0 Milestone4	cpe:2.3:a:apache:wicket:9.0.0:milestone4
Apache Wicket 9.0.0 Milestone5	cpe:2.3:a:apache:wicket:9.0.0:milestone5