CVE-2024-36522: Apache Wicket: Remote code execution via XSLT injection

July 12, 2024

The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation. Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue.

References

github.com/advisories/GHSA-hhwc-gh8h-9rrp
github.com/apache/wicket
lists.apache.org/thread/w613qh7yors840pbx00l1pq6wkl9jzkc
nvd.nist.gov/vuln/detail/CVE-2024-36522

Code Behaviors & Features

Detect and mitigate CVE-2024-36522 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →