This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
_ _ | |
_______ _ __ ___ | | ___ | | | |
|_ / _ \ '__/ _ \ | |/ _ \| | | |
/ / __/ | | (_) || | (_) | | | |
/___\___|_| \___(_)_|\___/|_| | |
https://zero.lol | |
zero days 4 days | |
ATTENTION: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CVE-2020-11976 - Apache wicket LFI / markup source file read vulnerability | |
------------------------------------------ | |
By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. | |
This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. | |
Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5 | |
For example if there are credentials in the markup which are never supposed to be visible to the client: | |
<wicket:remove> |