Cross-Site Scripting Vulnerability in Apache Wicket jQuery UI
CVE-2018-1325

6.1MEDIUM

Key Information:

Vendor: Apache
Status: Wicket-jquery-ui
Vendor: CVE Published:; 18 April 2018

What is CVE-2018-1325?

In certain versions of Apache Wicket jQuery UI, a vulnerability exists whereby JavaScript code created in the WYSIWYG editor can be executed upon display. This flaw could allow an attacker to inject malicious code, potentially leading to unauthorized actions within the user’s session.

Affected Version(s)

wicket-jquery-ui wicket-jquery-ui <= 6.29.0, <= 7.10.1, <= 8.0.0-M9.1

References

https://markmail.org/message/6bxjyaolehhq7jrl

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 18, 2018
Vulnerability Reserved
Dec 7, 2017