Apache Wicket: Remote code execution via XSLT injection

CVE-2024-36522

Currently unrated 🤨

Key Information

Vendor: Apache
Status: Apache Wicket
Vendor: CVE Published:; 12 July 2024

Summary

The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation. Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue.

Affected Version(s)

Apache Wicket <= 10.0.0

Apache Wicket <= 9.17.0

Apache Wicket <= 8.15.0

Timeline

Vulnerability published.
Jul 12, 2024
Vulnerability Reserved.
May 30, 2024

Collectors

NVD DatabaseMitre Database

Credit

cigar