CVE-2016-6806

Published: Oct 2, 2017

Modified: Sep 16, 2024

PUBLISHED

Description

Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was provided. Furthermore, not all Wicket server side targets were subjected to the CSRF check. This was also fixed.

Vendor	Product	Versions
Apache Software Foundation	Apache Wicket	affected `6.20.0` affected `6.21.0` affected `6.22.0` affected `6.23.0` affected `6.24.0` +6 more versions

References

[wicket-announce] 20161108 CVE-2016-6806: Apache Wicket CSRF detection vulnerability

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2016-6806

Description

Affected Products

References