CVE-2017-15719
Description
In Wicket jQuery UI 6.28.0 and earlier, 7.9.1 and earlier, and 8.0.0-M8 and earlier, a security issue has been discovered in the WYSIWYG editor that allows an attacker to submit arbitrary JS code to WYSIWYG editor.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Wicket jQuery UI WYSIWYG editor versions prior to 6.28.1, 7.9.2, and 8.0.0-M8.1 allow XSS via arbitrary JS code submission.
Vulnerability
The vulnerability exists in the WYSIWYG editor component of Wicket jQuery UI. Affected artifacts include wicket-jquery-ui-plugins (class WysiwygEditor) and wicket-kendo-ui (class Editor). Versions 6.28.0 and earlier, 7.9.1 and earlier, and 8.0.0-M8 and earlier are vulnerable [1][2][3]. The editor fails to sanitize user input, allowing injection of arbitrary JavaScript code.
Exploitation
An attacker can submit arbitrary JS code to the WYSIWYG editor. This requires the attacker to have the ability to input content into the editor (e.g., via a web form). No authentication or special privileges are mentioned in the references, but typical usage implies the user is logged in. The attacker crafts malicious JavaScript and submits it through the editor.
Impact
Successful exploitation leads to Cross-Site Scripting (XSS), allowing the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can result in data theft, session hijacking, or other malicious actions depending on the application's context.
Mitigation
The issue is fixed in versions 6.28.1, 7.9.2, and 8.0.0-M8.1 [1][3]. Users are recommended to upgrade to the latest available version (6.29.0, 7.10.1, 8.0.0-M9.1) [3]. For Apache OpenMeetings, upgrading to a version that includes the fix is necessary [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.googlecode.wicket-jquery-ui:wicket-jquery-ui-parentMaven | < 6.28.1 | 6.28.1 |
com.googlecode.wicket-jquery-ui:wicket-jquery-ui-parentMaven | >= 7.0.0, < 7.9.2 | 7.9.2 |
com.googlecode.wicket-jquery-ui:wicket-jquery-ui-parentMaven | >= 8.0.0-M1, < 8.0.0-M8.1 | 8.0.0-M8.1 |
Affected products
3- Range: <=6.28.0, <=7.9.1, <=8.0.0-M8
- Apache Software Foundation/Wicket jQuery UIv5Range: <= 6.28.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-pwpc-hqq2-hx2xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-15719ghsaADVISORY
- openmeetings.apache.org/security.htmlghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.