Severity: Important Vendor: The Apache Software Foundation
Versions Affected: Apache Wicket 1.5.12, 6.18.0 and 7.0.0-M4 Description: With Wicket's default security settings the usage of CryptoMapper to encrypt/obfuscate pages' urls is not strong enough. It is possible to predict the encrypted version of an url based on the previous history. The application developers using this feature are recommended to upgrade to: - Apache Wicket 1.5.13 - Apache Wicket 6.19.0 - Apache Wicket 7.0.0-M5 Credit: This issue was reported by Fabian Faessler! Apache Wicket Team
