CVE-2015-7520 - Vulnerability Details - OpenCVE

Multiple cross-site scripting (XSS) vulnerabilities in the (1) RadioGroup and (2) CheckBoxMultipleChoice classes in Apache Wicket 1.5.x before 1.5.15, 6.x before 6.22.0, and 7.x before 7.2.0 allow remote attackers to inject arbitrary web script or HTML via a crafted "value" attribute in a <input> element.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.01397.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Wicket

Configuration 1 [-]

OR	cpe:2.3:a:apache:wicket::::::::
	cpe:2.3:a:apache:wicket::::::::
	cpe:2.3:a:apache:wicket::::::::

No data.

No data.

References

Link	Providers
http://wicket.apache.org/news/2016/03/02/cve-2015-7520.html
http://www.securitytracker.com/id/1035166

History

Mon, 14 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.02348}`	epss `{'score': 0.01397}`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2016-04-12T17:00:00.000Z

Updated: 2024-08-06T07:51:28.374Z

Reserved: 2015-09-29T00:00:00.000Z

Link: CVE-2015-7520

Vulnrichment

No data.

NVD

Status : Modified

Published: 2016-04-12T17:59:01.217

Modified: 2026-05-06T22:30:45.220

Link: CVE-2015-7520

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-03-02T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in the (1) RadioGroup and (2) CheckBoxMultipleChoice classes in Apache Wicket 1.5.x before 1.5.15, 6.x before 6.22.0, and 7.x before 7.2.0 allow remote attackers to inject arbitrary web script or HTML via a crafted \"value\" attribute in a <input> element."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-04-12T16:57:01.000Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "1035166", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1035166"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://wicket.apache.org/news/2016/03/02/cve-2015-7520.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2015-7520", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site scripting (XSS) vulnerabilities in the (1) RadioGroup and (2) CheckBoxMultipleChoice classes in Apache Wicket 1.5.x before 1.5.15, 6.x before 6.22.0, and 7.x before 7.2.0 allow remote attackers to inject arbitrary web script or HTML via a crafted \"value\" attribute in a <input> element."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "1035166", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1035166"}, {"name": "http://wicket.apache.org/news/2016/03/02/cve-2015-7520.html", "refsource": "CONFIRM", "url": "http://wicket.apache.org/news/2016/03/02/cve-2015-7520.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T07:51:28.374Z"}, "title": "CVE Program Container", "references": [{"name": "1035166", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1035166"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://wicket.apache.org/news/2016/03/02/cve-2015-7520.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2015-7520", "datePublished": "2016-04-12T17:00:00.000Z", "dateReserved": "2015-09-29T00:00:00.000Z", "dateUpdated": "2024-08-06T07:51:28.374Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*", "matchCriteriaId": "0D81734E-4BD5-45D5-80AD-B6411A070A24", "versionEndExcluding": "1.5.15", "versionStartIncluding": "1.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*", "matchCriteriaId": "BC5AB86D-30D8-431A-AF00-496C5E5248ED", "versionEndExcluding": "6.22.0", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*", "matchCriteriaId": "AB23C89B-AFA2-4556-B0C0-2D12ED25E6D7", "versionEndExcluding": "7.2.0", "versionStartIncluding": "7.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in the (1) RadioGroup and (2) CheckBoxMultipleChoice classes in Apache Wicket 1.5.x before 1.5.15, 6.x before 6.22.0, and 7.x before 7.2.0 allow remote attackers to inject arbitrary web script or HTML via a crafted \"value\" attribute in a <input> element."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de XSS en las clases (1) RadioGroup y (2) CheckBoxMultipleChoice en Apache Wicket 1.5.x en versiones anteriores a 1.5.15, 6.x en versiones anteriores a 6.22.0 y 7.x en versiones anteriores a 7.2.0 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de un atributo \"valor\" manipulado en un elemento ."}], "id": "CVE-2015-7520", "lastModified": "2026-05-06T22:30:45.220", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-04-12T17:59:01.217", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://wicket.apache.org/news/2016/03/02/cve-2015-7520.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1035166"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://wicket.apache.org/news/2016/03/02/cve-2015-7520.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1035166"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}