CVE-2024-36522

CVE-2024-36522: Apache Wicket: Remote code execution via XSLT injection

Vendor Apache Software Foundation

Product Apache Wicket

Weakness CWE-74

Published July 12, 2024

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation. Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue.

Key dates

Disclosure timeline

July 12, 2024 CVE published

February 13, 2025 Record updated

Identifiers

CVE CVE-2024-36522

CWE CWE-74

Affected versions

Vendor Apache Software Foundation

Product Apache Wicket

Affected ≥ 10.0.0-M1 and ≤ 10.0.0

Vendor Apache Software Foundation

Product Apache Wicket

Affected ≥ 9.0.0 and ≤ 9.17.0

Vendor Apache Software Foundation

Product Apache Wicket

Affected ≥ 8.0.0 and ≤ 8.15.0