CVE-2014-3526 - Apache Wicket Information Disclosure Vulnerability Date: 22 Sep 2014 Severity: Important Vendor: The Apache Software Foundation Affected Versions: Apache Wicket 1.5.11, 6.16.0, and 7.0.0-M2 Description: When rendering a web page, Wicket checks the request URL. If the application changes the page parameters and the requested URL differs, Wicket stores the response on the server and issues an HTTP redirect. Subsequent requests reuse this stored response, leading to potential information disclosure if multiple users with temporary sessions are redirected to the same URL. Recommended Upgrades: Apache Wicket 1.5.12 Apache Wicket 6.17.0 Apache Wicket 7.0.0-M3 Credit: Reported by Andrea Del Bene and Martin Grigorov.