CVE-2016-6806
Severity CVSS v4.0:
Pending analysis
Type:
CWE-352
Cross-Site Request Forgery (CSRF)
Publication date:
03/10/2017
Last modified:
20/04/2025
Description
Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was provided. Furthermore, not all Wicket server side targets were subjected to the CSRF check. This was also fixed.
Impact
Base Score 3.x
8.80
Severity 3.x
HIGH
Base Score 2.0
6.80
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:apache:wicket:6.20.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:wicket:6.21.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:wicket:6.22.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:wicket:6.23.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:wicket:6.24.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:wicket:7.0.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:wicket:7.1.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:wicket:7.2.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:wicket:7.3.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:wicket:7.4.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:wicket:8.0.0:m1:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page