Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Wicket 1.4.x and 1.5.x Description: https://wicket.apache.org/2012/09/06/cve-2012-3373.html It is possible to inject JavaScript statements into an ajax link by adding an encoded null byte to a URL pointing to a Wicket app. This could be done by sending a legitimate user a manipulated URL and tricking the user into clicking on it. This vulnerability is fixed in - Apache Wicket 1.4.21 https://wicket.apache.org/2012/09/05/wicket-1.4.21-released.html - Apache Wicket 1.5.8 https://wicket.apache.org/2012/08/24/wicket-1.5.8-released.html Apache Wicket 6.0.0 is not affected. Credit: This issue was reported by Thomas Heigl. Apache Wicket Team
