CVE-2015-5347

6.1MEDIUM

Key Information:

Vendor
Apache
Status
Wicket
Vendor
CVE Published:
12 April 2016

Badges

👾 Exploit Exists🟡 Public PoC

Summary

Cross-site scripting (XSS) vulnerability in the getWindowOpenJavaScript function in org.apache.wicket.extensions.ajax.markup.html.modal.ModalWindow in Apache Wicket 1.5.x before 1.5.15, 6.x before 6.22.0, and 7.x before 7.2.0 might allow remote attackers to inject arbitrary web script or HTML via a ModalWindow title.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

wicker-cve-2015-5347
Created by alexanderkjall

References

http://wicket.apache.org/news/2016/03/01/cve-2015-5347.html
x_refsource_CONFIRM
https://issues.apache.org/jira/browse/WICKET-6037
x_refsource_CONFIRM
http://www.securitytracker.com/id/1035165
vdb-entryx_refsource_SECTRACK

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.