Cross-Site Scripting Vulnerability in Apache Wicket jQuery UI
CVE-2018-1325

6.1MEDIUM

Key Information:

Vendor: Apache
Status: Wicket-jquery-ui
Vendor: CVE Published:; 18 April 2018

Summary

In certain versions of Apache Wicket jQuery UI, a vulnerability exists whereby JavaScript code created in the WYSIWYG editor can be executed upon display. This flaw could allow an attacker to inject malicious code, potentially leading to unauthorized actions within the user’s session.

Affected Version(s)

wicket-jquery-ui wicket-jquery-ui <= 6.29.0, <= 7.10.1, <= 8.0.0-M9.1

References

https://markmail.org/message/6bxjyaolehhq7jrl

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Apr 18, 2018
Vulnerability Reserved
Dec 7, 2017