Pedro Henrique Oliveira Dos Santos

**Name of the Vulnerable Software and Affected Versions** Apache Wicket versions 8.0.0 through 8.17.0 Apache Wicket version 9.0.0 Apache Wicket versions 10.0.0 through 10.8.0 **Description** A session fixation attack is possible due to the missing invocation of the Servlet http web request method `changeSessionId()` after session binding. **Recommendations** Upgrade to version 10.9.0.

**Name of the Vulnerable Software and Affected Versions** Apache Wicket versions 8.0.0 through 8.17.0 Apache Wicket version 9.0.0 Apache Wicket versions 10.0.0 through 10.8.0 **Description** Improper neutralization of input during web page generation allows for Cross-site Scripting (XSS), a flaw where an application includes untrusted data in a web page without proper validation or encoding, potentially allowing attackers to execute malicious scripts in the victim's browser. **Recommendations** Upgrade to version 10.9.0.

**Name of the Vulnerable Software and Affected Versions** Apache Wicket versions 8.0.0 through 8.17.0 Apache Wicket versions 9.0.0 through 9.22.0 Apache Wicket versions 10.0.0 through 10.8.0 **Description** Exposure of sensitive information to an unauthorized actor. **Recommendations** Upgrade to version 10.9.0.

**Name of the Vulnerable Software and Affected Versions** Apache Wicket versions 8.0.0 through 8.17.0 Apache Wicket versions 9.0.0 through 9.22.0 Apache Wicket versions 10.0.0 through 10.8.0 **Description** FolderUploadsFileManager fails to validate or sanitize the `uploadFieldId` parameter or the `clientFileName` before constructing file paths. This allows an unauthenticated attacker to write arbitrary files outside the intended upload directory or read files from arbitrary locations on the server. **Recommendations** Upgrade to version 10.9.0.

**Name of the Vulnerable Software and Affected Versions** Apache Wicket version 7.0.0 Apache Wicket versions prior to 9.19.0 Apache Wicket versions prior to 10.3.0 **Description** The request handling in the core of Apache Wicket allows an attacker to create a denial of service (DOS) attack via multiple requests to server resources. This issue is caused by a flaw in the request handling mechanism, resulting in a memory leak. To fix this issue, users are recommended to upgrade to patched versions. **Recommendations** For Apache Wicket version 7.0.0, upgrade to version 9.19.0 or 10.3.0 to fix the issue. For Apache Wicket versions prior to 9.19.0, upgrade to version 9.19.0 or later to fix the issue. For Apache Wicket versions prior to 10.3.0, upgrade to version 10.3.0 or later to fix the issue.