CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-53299 – Apache Wicket: An attacker can intentionally trigger a memory leak
https://notcve.org/view.php?id=CVE-2024-53299
23 Jan 2025 — The request handling in the core in Apache Wicket 7.0.0 on any platform allows an attacker to create a DOS via multiple requests to server resources. Users are recommended to upgrade to versions 9.19.0 or 10.3.0, which fixes this issue. The request handling in the core in Apache Wicket 7.0.0 on any platform allows an attacker to create a DOS via multiple requests to server resources. Users are recommended to upgrade to versions 9.19.0 or 10.3.0, which fixes this issue. • https://lists.apache.org/thread/gyp2ht00c62827y0379lxh5dbx3hhho5 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.8EPSS: 3%CPEs: 3EXPL: 0CVE-2024-36522 – Apache Wicket: Remote code execution via XSLT injection
https://notcve.org/view.php?id=CVE-2024-36522
12 Jul 2024 — The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation. Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue. The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation. Users are recommended to upgrade to versions 10.1.0, 9.18.0 or ... • http://www.openwall.com/lists/oss-security/2024/07/12/2 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-27439 – Apache Wicket: Possible bypass of CSRF protection
https://notcve.org/view.php?id=CVE-2024-27439
19 Mar 2024 — An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket. This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series. Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected. Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue. Un error en la evaluación de los encabezados de metadatos de recuperación podría permiti... • http://www.openwall.com/lists/oss-security/2024/03/19/2 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •