Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2016-6806

Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was provided. Furthermore, not all Wicket server side targets were subjected to the CSRF check. This was also fixed.

Published

2017-10-03T01:29:00.967

Last Modified

2025-04-20T01:37:25.860

Status

Deferred

Source

[email protected]

Severity

CVSSv3.0: 8.8 (HIGH)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

  • Access Vector: NETWORK
  • Access Complexity: MEDIUM
  • Authentication: NONE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: PARTIAL
  • Availability Impact: PARTIAL
Exploitability Score

8.6

Impact Score

6.4

Weaknesses
  • Type: Primary
    CWE-352
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application apache wicket 6.20.0 Yes
Application apache wicket 6.21.0 Yes
Application apache wicket 6.22.0 Yes
Application apache wicket 6.23.0 Yes
Application apache wicket 6.24.0 Yes
Application apache wicket 7.0.0 Yes
Application apache wicket 7.1.0 Yes
Application apache wicket 7.2.0 Yes
Application apache wicket 7.3.0 Yes
Application apache wicket 7.4.0 Yes
Application apache wicket 8.0.0 Yes
References