CVE-2016-6806

high Apache
CVSS v3 Base Score
8.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score
0.2%
Exploitation probability in 30 days
Top 63% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Confidentiality
High
Integrity
High
Availability
High
Published: October 3, 2017 (3146 days ago)
Last Modified: May 13, 2026
Vendor: Apache
Source: NVD

Description

Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was provided. Furthermore, not all Wicket server side targets were subjected to the CSRF check. This was also fixed.

CWE

CWE-352

Affected Products

apache wicket

References

🔗 lists.apache.org 🔗 lists.apache.org