CVE-2024-36522

Name of the Vulnerable Software and Affected Versions Apache Wicket versions prior to 10.1.0 Apache Wicket versions prior to 9.18.0 Apache Wicket versions prior to 8.16.0

Description The issue is related to incorrect code generation management in the Apache Wicket framework, allowing a remote attacker to gain unauthorized access to protected information, execute arbitrary code, and gain full control over the application. The vulnerability is also described as a remote code execution issue via XSLT injection when processing input from an untrusted source without validation.

Recommendations For versions prior to 10.1.0, upgrade to version 10.1.0 to fix the issue. For versions prior to 9.18.0, upgrade to version 9.18.0 to fix the issue. For versions prior to 8.16.0, upgrade to version 8.16.0 to fix the issue. As a temporary workaround, consider restricting the use of the XSLTResourceStream.java component until a patch is available. Avoid using the XSLTResourceStream.java component to process input from untrusted sources without validation until the issue is resolved.