The Apache Wicket Project Management Committee (PMC) has released security to address a critical remote code execution vulnerability, stemmed from a potential XSLT injection attack, enabling malicious actors to execute arbitrary code on affected systems.
Apache Wicket is a popular open-source framework powering thousands of web applications and websites worldwide. Its user-friendly, component-oriented design has made it a favorite among developers in diverse sectors, including government, education, finance, and e-commerce.
The vulnerability, tracked as CVE-2024-36522, could have allowed attackers to gain control over vulnerable web applications and potentially compromise sensitive data. By injecting malicious XSLT code, attackers could exploit the framework’s functionality to execute harmful commands on the server-side.
The Apache Wicket PMC has promptly addressed the issue by releasing updated versions 9.18.0 and 10.1.0, which include a patch for CVE-2024-36522. It is recommended to upgrade to these latest versions immediately.
