CVE-2020-11976

CWE-552Files Accessible to External PartiesCWE-200Information Exposure4 documents4 sources
Severity
7.5HIGH
EPSS
2.0%
top 16.19%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache WicketApache Fortress
Timeline
PublishedAug 11
Latest updateMay 7

Description

By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

NVDapache/wicket8.0.08.9.0+2
Mavenorg.apache.wicket:wicket-core8.0.08.9.0+6
CVEListV5apache_wicketApache Wicket 7.16.0, 8.8.0, 9.0.0-M5
NVDapache/fortress2.0.5

🔴Vulnerability Details

3
GHSA
Exposure of Sensitive Information to an Unauthorized Actor in Apache Wicket2021-05-07
OSV
Exposure of Sensitive Information to an Unauthorized Actor in Apache Wicket2021-05-07
CVEList
CVE-2020-11976: By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates2020-08-11
CVE-2020-11976 (HIGH CVSS 7.5) | By crafting a special URL it is pos | cvebase.io