CVE-2016-6806

Name of the Vulnerable Software and Affected Versions Apache Wicket versions 6.x through 6.24.0 Apache Wicket versions 7.x through 7.4.0 Apache Wicket version 8.0.0-M1

Description The issue concerns a CSRF prevention measure that fails to identify certain cross-origin requests. This is because it only checks the Origin HTTP header and does not account for the Referer HTTP header when the Origin header is not provided. Additionally, not all server-side targets were subject to the CSRF check.

Recommendations For Apache Wicket versions 6.x through 6.24.0, update to version 6.25.0 or later to resolve the issue. For Apache Wicket versions 7.x through 7.4.0, update to version 7.5.0 or later to resolve the issue. For Apache Wicket version 8.0.0-M1, ensure that the CSRF prevention measure is updated to check both the Origin and Referer HTTP headers, and apply the CSRF check to all server-side targets.