org.apache.wicket:wicket-core 8.18.0

Direct Vulnerabilities

Known vulnerabilities in the org.apache.wicket:wicket-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) org.apache.wicket:wicket-core is a Java web application framework that takes simplicity, separation of concerns and ease of development to a whole new level. Wicket pages can be mocked up, previewed and later revised using standard WYSIWYG HTML design tools. Dynamic content processing and form handling is all handled in Java code using a first-class component model backed by POJO data beans that can easily be persisted using your favorite technology. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via improper neutralization of JavaScript in `PopupSettings.java‎`, `Link.java`, and `ExternalLink.java` markup. An attacker can execute arbitrary JavaScript code in the user's browser by injecting specially crafted strings. Note: While the Apache Security Advisory suggests only versions above 8.x are affected, this is likely because 7.x and below are EoL as the vulnerable code has been traced to earlier versions. How to fix Cross-site Scripting (XSS)? Upgrade `org.apache.wicket:wicket-core` to version 10.9.0 or higher.	[,10.9.0)
H Directory Traversal org.apache.wicket:wicket-core is a Java web application framework that takes simplicity, separation of concerns and ease of development to a whole new level. Wicket pages can be mocked up, previewed and later revised using standard WYSIWYG HTML design tools. Dynamic content processing and form handling is all handled in Java code using a first-class component model backed by POJO data beans that can easily be persisted using your favorite technology. Affected versions of this package are vulnerable to Directory Traversal via the `internalGetResourceStream` function in `PackageResource.java‎`. An attacker can access sensitive information by submitting specially crafted URLs that bypass resource access restrictions. Note: While the Apache Security Advisory suggests only versions above 8.x are affected, this is likely because 7.x and below are EoL, as the vulnerable code has been traced to earlier versions. How to fix Directory Traversal? Upgrade `org.apache.wicket:wicket-core` to version 10.9.0 or higher.	[,10.9.0)
H Directory Traversal org.apache.wicket:wicket-core is a Java web application framework that takes simplicity, separation of concerns and ease of development to a whole new level. Wicket pages can be mocked up, previewed and later revised using standard WYSIWYG HTML design tools. Dynamic content processing and form handling is all handled in Java code using a first-class component model backed by POJO data beans that can easily be persisted using your favorite technology. Affected versions of this package are vulnerable to Directory Traversal via the `uploadFieldId` and `clientFileName` arguments to `FolderUploadsFileManager`. An attacker can read or write arbitrary files outside the intended directory. How to fix Directory Traversal? Upgrade `org.apache.wicket:wicket-core` to version 10.9.0 or higher.	[8.0.0-M1,10.9.0)
H Allocation of Resources Without Limits or Throttling org.apache.wicket:wicket-core is a Java web application framework that takes simplicity, separation of concerns and ease of development to a whole new level. Wicket pages can be mocked up, previewed and later revised using standard WYSIWYG HTML design tools. Dynamic content processing and form handling is all handled in Java code using a first-class component model backed by POJO data beans that can easily be persisted using your favorite technology. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to a memory leak that can be triggered by an attacker sending multiple simultaneous requests to the server. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `org.apache.wicket:wicket-core` to version 9.19.0, 10.3.0 or higher.	[7.0.0-M1,9.19.0)[10.0.0-M1,10.3.0)

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

org.apache.wicket:wicket-core is a Java web application framework that takes simplicity, separation of concerns and ease of development to a whole new level. Wicket pages can be mocked up, previewed and later revised using standard WYSIWYG HTML design tools. Dynamic content processing and form handling is all handled in Java code using a first-class component model backed by POJO data beans that can easily be persisted using your favorite technology.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via improper neutralization of JavaScript in PopupSettings.java‎, Link.java, and ExternalLink.java markup. An attacker can execute arbitrary JavaScript code in the user's browser by injecting specially crafted strings.

Note: While the Apache Security Advisory suggests only versions above 8.x are affected, this is likely because 7.x and below are EoL as the vulnerable code has been traced to earlier versions.

How to fix Cross-site Scripting (XSS)?

Upgrade org.apache.wicket:wicket-core to version 10.9.0 or higher.

[,10.9.0)

Directory Traversal

Affected versions of this package are vulnerable to Directory Traversal via the internalGetResourceStream function in PackageResource.java‎. An attacker can access sensitive information by submitting specially crafted URLs that bypass resource access restrictions.

Note: While the Apache Security Advisory suggests only versions above 8.x are affected, this is likely because 7.x and below are EoL, as the vulnerable code has been traced to earlier versions.

How to fix Directory Traversal?

Upgrade org.apache.wicket:wicket-core to version 10.9.0 or higher.

[,10.9.0)

Directory Traversal

Affected versions of this package are vulnerable to Directory Traversal via the uploadFieldId and clientFileName arguments to FolderUploadsFileManager. An attacker can read or write arbitrary files outside the intended directory.

How to fix Directory Traversal?

Upgrade org.apache.wicket:wicket-core to version 10.9.0 or higher.

[8.0.0-M1,10.9.0)

Allocation of Resources Without Limits or Throttling

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to a memory leak that can be triggered by an attacker sending multiple simultaneous requests to the server.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade org.apache.wicket:wicket-core to version 9.19.0, 10.3.0 or higher.

[7.0.0-M1,9.19.0)[10.0.0-M1,10.3.0)

org.apache.wicket:wicket-core@8.18.0

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically