Skip to content

Apache Wicket: Remote code execution via XSLT injection

High severity GitHub Reviewed Published Jul 12, 2024 to the GitHub Advisory Database • Updated Jul 18, 2024

Package

maven org.apache.wicket:wicket-util (Maven)

Affected versions

>= 10.0.0-M1, < 10.1.0
>= 9.0.0, < 9.18.0
>= 8.0.0, < 8.16.0

Patched versions

10.1.0
9.18.0
8.16.0

Description

The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation.
Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue.

References

Published by the National Vulnerability Database Jul 12, 2024
Published to the GitHub Advisory Database Jul 12, 2024
Reviewed Jul 12, 2024
Last updated Jul 18, 2024

Severity

High

EPSS score

0.043%
(11th percentile)

Weaknesses

CVE ID

CVE-2024-36522

GHSA ID

GHSA-hhwc-gh8h-9rrp

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.