← Back to CVEs

CVE-2024-36522

CRITICAL

9.8

Description

The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation. Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue.

CVE Details

CVSS v3.1 Score9.8

SeverityCRITICAL

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredNONE

User InteractionNONE

Published7/12/2024

Last Modified7/10/2025

Sourcenvd

Honeypot Sightings0

Affected Products

apache:wicket

Weaknesses (CWE)

CWE-74

References

http://www.openwall.com/lists/oss-security/2024/07/12/2(security@apache.org)

https://lists.apache.org/thread/w613qh7yors840pbx00l1pq6wkl9jzkc(security@apache.org)

http://www.openwall.com/lists/oss-security/2024/07/12/2(af854a3a-2127-422b-91ae-364da2661108)

https://lists.apache.org/thread/w613qh7yors840pbx00l1pq6wkl9jzkc(af854a3a-2127-422b-91ae-364da2661108)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.