Cross-Site Scripting Vulnerability in Apache Wicket ModalWindow
CVE-2015-5347

6.1MEDIUM

Key Information:

Vendor
Apache
Status
Wicket
Vendor
CVE Published:
12 April 2016

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The vulnerability allows remote attackers to inject arbitrary web scripts or HTML through the title attribute of a ModalWindow in Apache Wicket. This can lead to unauthorized actions on behalf of users and expose sensitive information. Users are advised to update to the latest versions of Apache Wicket to mitigate this security risk and protect their applications from potential exploitation.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

wicker-cve-2015-5347
Created by alexanderkjall

References

http://wicket.apache.org/news/2016/03/01/cve-2015-5347.html
x_refsource_CONFIRM
https://issues.apache.org/jira/browse/WICKET-6037
x_refsource_CONFIRM
http://www.securitytracker.com/id/1035165
vdb-entryx_refsource_SECTRACK

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.