CVE-2024-36522

CWE-744 documents4 sources
Severity
9.8CRITICAL
EPSS
8.3%
top 7.76%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache WicketApache Software Foundation Apache Wicket
Timeline
PublishedJul 12

Description

The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation. Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

NVDapache/wicket8.0.08.16.0+2
Mavenorg.apache.wicket:wicket-util10.0.0-M110.1.0+2
CVEListV5apache_software_foundation/apache_wicket10.0.0-M110.0.0+2

🔴Vulnerability Details

3
GHSA
Apache Wicket: Remote code execution via XSLT injection2024-07-12
CVEList
Apache Wicket: Remote code execution via XSLT injection2024-07-12
OSV
Apache Wicket: Remote code execution via XSLT injection2024-07-12
CVE-2024-36522 (CRITICAL CVSS 9.8) | The default configuration of XSLTRe | cvebase.io