Hi, Is there any JIRA issue for this? I tried to find but none issue in Wicket JIRA points directly to CVE-2020-11976. One possible candidate to me is WICKET-6792 :). Am I right? If yes, this is already fixed also for Wicket 6.31.0, can you release this version?
-- Best regards, Daniel Stoch pon., 10 sie 2020 o 18:23 <svenme...@apache.org> napisał(a): > Severity: Important > > Vendor: > The Apache Software Foundation > > Versions Affected: > Apache Wicket 7.16.0, 8.8.0 and 9.0.0-M5 > > Description: > > By crafting a special URL it is possible to make Wicket deliver > unprocessed HTML templates. > This would allow an attacker to see possibly sensitive information > inside a HTML template that is usually removed during rendering. > For example if there are credentials in the markup which are never > supposed to be visible to the client: > > <wicket:remove> > some secret > </wicket:remove> > > The application developers are recommended to upgrade to: > - Apache Wicket 7.17.0 > <http://wicket.apache.org/news/2020/07/20/wicket-7.17.0-released.html> > - Apache Wicket 8.9.0 > <http://wicket.apache.org/news/2020/07/15/wicket-8.9.0-released.html> > - Apache Wicket 9.0.0 > <http://wicket.apache.org/news/2020/07/15/wicket-9-released.html> > > Credit: > The vulnerability has been found and reported by Mariusz Popławski from > Afine. > > Apache Wicket Team >
