1. Home
  2. Security Advisories
  3. Maven
  4. MAVEN:GHSA-HHWC-GH8H-9RRP

[MAVEN:GHSA-HHWC-GH8H-9RRP] Apache Wicket: Remote code execution via XSLT injection

Severity High
Affected Packages 4
Fixed Packages 4
CVEs 1
Info Packages References Vulnerabilities

The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation.
Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue.

Package Affected Version
pkg:maven/org.apache.wicket/wicket-util >= 8.0.0, < 8.16.0
pkg:maven/org.apache.wicket/wicket-core >= 8.0.0, < 8.16.0
pkg:maven/org.apache.wicket/wicket-core >= 9.0.0, < 9.18.0
pkg:maven/org.apache.wicket/wicket-core >= 10.0.0-M1, < 10.1.0
Package Fixed Version
pkg:maven/org.apache.wicket/wicket-util = 8.16.0
pkg:maven/org.apache.wicket/wicket-core = 8.16.0
pkg:maven/org.apache.wicket/wicket-core = 9.18.0
pkg:maven/org.apache.wicket/wicket-core = 10.1.0
ID
MAVEN:GHSA-HHWC-GH8H-9RRP
Severity
high
URL
https://github.com/advisories/GHSA-hhwc-gh8h-9rrp
Published
2024-07-12T15:31:26
(2 months ago)
Modified
2024-07-12T21:00:44
(2 months ago)
Rights
Maven Security Team
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.apache.wicket/wicket-util org.apache.wicket wicket-util >= 8.0.0 < 8.16.0
Fixed pkg:maven/org.apache.wicket/wicket-util org.apache.wicket wicket-util = 8.16.0
Affected pkg:maven/org.apache.wicket/wicket-core org.apache.wicket wicket-core >= 8.0.0 < 8.16.0
Fixed pkg:maven/org.apache.wicket/wicket-core org.apache.wicket wicket-core = 8.16.0
Affected pkg:maven/org.apache.wicket/wicket-core org.apache.wicket wicket-core >= 9.0.0 < 9.18.0
Fixed pkg:maven/org.apache.wicket/wicket-core org.apache.wicket wicket-core = 9.18.0
Affected pkg:maven/org.apache.wicket/wicket-core org.apache.wicket wicket-core >= 10.0.0-M1 < 10.1.0
Fixed pkg:maven/org.apache.wicket/wicket-core org.apache.wicket wicket-core = 10.1.0
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date