Vulnerability Details : CVE-2020-11976
By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5
Products affected by CVE-2020-11976
- cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:wicket:9.0.0:milestone5:*:*:*:*:*:*
- cpe:2.3:a:apache:wicket:9.0.0:milestone1:*:*:*:*:*:*
- cpe:2.3:a:apache:wicket:9.0.0:milestone2:*:*:*:*:*:*
- cpe:2.3:a:apache:wicket:9.0.0:milestone3:*:*:*:*:*:*
- cpe:2.3:a:apache:wicket:9.0.0:milestone4:*:*:*:*:*:*
- cpe:2.3:a:apache:fortress:2.0.5:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-11976
2.03%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 83 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-11976
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2020-11976
-
The product makes files or directories accessible to unauthorized actors, even though they should not be.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-11976
-
https://lists.apache.org/thread.html/reb7ea8141c713b5b19eaf34c00f43aaebf5a1c116130f763c42bdad1@%3Cdev.directory.apache.org%3E
[jira] [Updated] (FC-293) [fortress-web] CVE-2020-11976 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r104eeefeb1e9da51f7ef79cef0f9ff12e21ef8559b77801e86b21e16%40%3Cusers.wicket.apache.org%3E
[CVE-2020-11976] Apache Wicket information disclosure vulnerability - Pony MailMailing List;Release Notes;Vendor Advisory
-
https://lists.apache.org/thread.html/rdec0a43afdca59c10416889e07267f3d2fdf4ab929a6e22a2659b6ff@%3Cdev.directory.apache.org%3E
[jira] [Closed] (FC-293) [fortress-web] CVE-2020-11976 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rd0f36b83cc9f28b016ec552f023fb5a59a9ea8db56f2b9dcc6a2f6b7@%3Ccommits.directory.apache.org%3E
[directory-fortress-commander] branch master updated: FC-293 - CVE-2020-11976 - upgrade wicket core -> 8.9.0 - Pony MailMailing List;Patch;Vendor Advisory
-
https://lists.apache.org/thread.html/r982c626dbce5c995223c4a6ddd7685de3592f8d65ba8372da1f3ce19@%3Cdev.directory.apache.org%3E
[jira] [Created] (FC-293) [fortress-web] CVE-2020-11976 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/re4af65851bf69605cfb68be215eba36d4cdc1a90b95fbc894799d923@%3Cdev.directory.apache.org%3E
[jira] [Reopened] (FC-293) [fortress-web] CVE-2020-11976 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r05340178680eb6b9d4d40d56b5621dd4ae9715e6f41f12ae2288ec49@%3Cdev.directory.apache.org%3E
Pony Mail!Mailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rd26cae6e30b205e09e4b511d3d962d4f677c0c604f737997ce1b2f22@%3Cdev.directory.apache.org%3E
[jira] [Resolved] (FC-293) [fortress-web] CVE-2020-11976 - Pony MailMailing List;Vendor Advisory
Jump to