Skip to content
Sebastien Briquet edited this page Feb 25, 2018 · 8 revisions

Security Vulnerabilities

CVE-2017-15719 - XSS in WYSIWYG editor

Severity: High
Affected Versions: <= 6.28.0, <= 7.9.1, <= 8.0.0-M8

Affected Artifacts:

  • wicket-jquery-ui-plugins (com.googlecode.wicket.jquery.ui.plugins.wysiwyg.WysiwygEditor)
  • wicket-kendo-ui (com.googlecode.wicket.kendo.ui.widget.editor.Editor)

A security issue as been discovered in the WYSIWYG editor that allows an attacker to submit arbitrary JS code to WYSIWYG editor.
All users are recommended to upgrade to the latest version (6.29.0, 7.10.1, 8.0.0-M9.1)
The issue was fixed in 6.28.1, 7.9.2, 8.0.0-M8.1

The issue has been identified in Apache OpenMeeting by Sahil Dhar (Security Innovation Inc)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15719

Apache OpenMeeting Security Page

http://openmeetings.apache.org/security.html#_toc_cve-2017-15719_-_wicket_jquery_ui_xss_in_wysiwyg_e