CVE-2024-36522

high-risk
Published 2024-07-12

The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation. Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue.

Do I need to act?

~
8.3% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (3)

Wicket
Wicket
Wicket

Affected Vendors

Apache

References (4)

Mailing List http://www.openwall.com/lists/oss-security/2024/07/12/2
Mailing List https://lists.apache.org/thread/w613qh7yors840pbx00l1pq6wkl9jzkc
Mailing List http://www.openwall.com/lists/oss-security/2024/07/12/2
Mailing List https://lists.apache.org/thread/w613qh7yors840pbx00l1pq6wkl9jzkc
51
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 10/34 · Low
Exposure 9/34 · Low