CVE-2020-11976

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Wicket
Vendor: CVE Published:; 11 August 2020

Summary

By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5

Affected Version(s)

Apache Wicket Apache Wicket 7.16.0, 8.8.0, 9.0.0-M5

References

https://lists.apache.org/thread.html/r104eeefeb1e9da51f7e...

x_refsource_MISC

https://lists.apache.org/thread.html/rd0f36b83cc9f28b016e...

mailing-listx_refsource_MLIST

https://lists.apache.org/thread.html/r982c626dbce5c995223...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 11, 2020
Vulnerability Reserved
Apr 21, 2020

.