CVE-2016-6806

CWE-352Cross-Site Request Forgery (CSRF)4 documents4 sources
Severity
8.8HIGH
EPSS
0.2%
top 62.37%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache WicketApache Wicket
Timeline
PublishedOct 3
Latest updateMay 17

Description

Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was provided. Furthermore, not all Wicket server side targets were subjected to the CSRF check. This was also fixed.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

Mavenorg.apache.wicket:wicket-core6.20.06.25.0+2
NVDapache/wicket11 versions+10

🔴Vulnerability Details

3
OSV
Apache Wicket vulnerable to CSRF attacks2022-05-17
GHSA
Apache Wicket vulnerable to CSRF attacks2022-05-17
CVEList
CVE-2016-6806: Apache Wicket 62017-10-02
CVE-2016-6806 (HIGH CVSS 8.8) | Apache Wicket 6.x before 6.25.0 | cvebase.io