By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| org.apache.wicket:wicket-core(Maven) | 0 | 7.17.0 | N/A |
| org.apache.wicket:wicket-core(Maven) | 8.0.0 | 8.9.0 | N/A |
| org.apache.wicket:wicket-core(Maven) | 9.0.0-M1 | 9.0.0 | N/A |
| org.apache.wicket:wicket-core(Maven) | 9.0.0-M2 | 9.0.0 | N/A |
| org.apache.wicket:wicket-core(Maven) | 9.0.0-M3 | 9.0.0 | N/A |
| org.apache.wicket:wicket-core(Maven) | 9.0.0-M4 | 9.0.0 | N/A |
| org.apache.wicket:wicket-core(Maven) | 9.0.0-M5 | 9.0.0 | N/A |
CVSS Metrics
