Home
Sebastien Briquet edited this page Feb 25, 2018
·
8 revisions
Security Vulnerabilities
CVE-2017-15719 - XSS in WYSIWYG editor
Severity: High
Affected Versions: <= 6.28.0, <= 7.9.1, <= 8.0.0-M8
Affected Artifacts:
- wicket-jquery-ui-plugins (
com.googlecode.wicket.jquery.ui.plugins.wysiwyg.WysiwygEditor) - wicket-kendo-ui (
com.googlecode.wicket.kendo.ui.widget.editor.Editor)
A security issue as been discovered in the WYSIWYG editor that allows an attacker to submit arbitrary JS code to WYSIWYG editor.
All users are recommended to upgrade to the latest version (6.29.0, 7.10.1, 8.0.0-M9.1)
The issue was fixed in 6.28.1, 7.9.2, 8.0.0-M8.1
The issue has been identified in Apache OpenMeeting by Sahil Dhar (Security Innovation Inc)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15719
Apache OpenMeeting Security Page
http://openmeetings.apache.org/security.html#_toc_cve-2017-15719_-_wicket_jquery_ui_xss_in_wysiwyg_e