HTML Template Exposure in Apache Wicket Versions
CVE-2020-11976

7.5HIGH

Key Information:

Vendor
Apache
Status
Apache Wicket
Vendor
CVE Published:
11 August 2020

Summary

A vulnerability has been identified in Apache Wicket that allows an attacker to craft specific URLs to access unprocessed HTML templates. This exposure can potentially disclose sensitive information that is typically sanitized during the rendering process, posing a significant security risk for applications utilizing affected versions of Apache Wicket. To mitigate this risk, it's essential for users to upgrade to newer, patched versions of the software.

Affected Version(s)

Apache Wicket Apache Wicket 7.16.0, 8.8.0, 9.0.0-M5

References

https://lists.apache.org/thread.html/r104eeefeb1e9da51f7e...
x_refsource_MISC
https://lists.apache.org/thread.html/rd0f36b83cc9f28b016e...
mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r982c626dbce5c995223...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.