CVE-2024-36522

Summary

The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation. Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Wicket10.0.0-M1 <= 10.0.0affected
Apache Software FoundationApache Wicket9.0.0 <= 9.17.0affected
Apache Software FoundationApache Wicket8.0.0 <= 8.15.0affected

Weaknesses

  • CWE-74: CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References