CVE-2020-11976

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 11-08-2020 09:15

Last modified: - 26-04-2022 07:06

Total changes: - 6

Description

By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Low

Attack complexity

Network

Attack vector

None

Availability

High

Confidentiality

None

Integrity

None

Privileges required

Unchanged

Scope

None

User interaction

7.5

Base score

3.9

3.6

Exploitability score

Impact score

Verification logic

vendor=apache AND product=fortress AND version=2.0.5

vendor=apache AND product=wicket AND versionEndExcluding=7.17.0

vendor=apache AND product=wicket AND versionStartIncluding=8.0.0 AND versionEndExcluding=8.9.0

vendor=apache AND product=wicket AND version=9.0.0 AND update=milestone1

vendor=apache AND product=wicket AND version=9.0.0 AND update=milestone2

vendor=apache AND product=wicket AND version=9.0.0 AND update=milestone3

vendor=apache AND product=wicket AND version=9.0.0 AND update=milestone4

vendor=apache AND product=wicket AND version=9.0.0 AND update=milestone5

Reference

https://lists.apache.org/thread.html/r104eeefeb1e9da51f7ef79cef0f9ff12e21ef8559b77801e86b21e16%40%3Cusers.wicket.apache.org%3E
[directory-dev] 20210513 [jira] [Created] (FC-293) [fortress-web] CVE-2020-11976-Mailing List, Vendor Advisory
[directory-commits] 20210513 [directory-fortress-commander] branch master updated: FC-293 - CVE-2020-11976 - upgrade wicket core -> 8.9.0-Mailing List, Patch, Vendor Advisory
[directory-dev] 20210514 [jira] [Closed] (FC-293) [fortress-web] CVE-2020-11976-Mailing List, Vendor Advisory
[directory-dev] 20210626 [jira] [Closed] (FC-293) [fortress-web] CVE-2020-11976-Mailing List, Vendor Advisory
[directory-dev] 20210626 [jira] [Updated] (FC-293) [fortress-web] CVE-2020-11976-Mailing List, Vendor Advisory
[directory-dev] 20210626 [jira] [Reopened] (FC-293) [fortress-web] CVE-2020-11976-Mailing List, Vendor Advisory
[directory-dev] 20210626 [jira] [Resolved] (FC-293) [fortress-web] CVE-2020-11976-Mailing List, Vendor Advisory

Keywords

CVE-2020-11976

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2020-11976

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures