Apache Wicket: Remote code execution via XSLT injection
CVE-2024-36522

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Wicket
Vendor: CVE Published:; 12 July 2024

Summary

The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation. Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue.

Affected Version(s)

Apache Wicket 10.0.0-M1 <= 10.0.0

Apache Wicket 9.0.0 <= 9.17.0

Apache Wicket 8.0.0 <= 8.15.0

References

https://lists.apache.org/thread/w613qh7yors840pbx00l1pq6w...

vendor-advisory

http://www.openwall.com/lists/oss-security/2024/07/12/2

Timeline

Vulnerability published
Jul 12, 2024
Vulnerability Reserved
May 30, 2024

Credit

cigar