exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Spring MVC 3.2.8 / 4.0.1 Cross Site Scripting

Spring MVC 3.2.8 / 4.0.1 Cross Site Scripting
Posted Mar 12, 2014
Authored by Pivotal Security Team, Paul Wowk

Spring MVC suffers from a cross site scripting vulnerability. When a programmer does not specify the action on the Spring form, Spring automatically populates the action field with the requested uri. An attacker can use this to inject malicious content into the form. Versions 3.0.0 through 3.2.8 and 4.0.0 through 4.0.1 are affected.

tags | advisory, xss
advisories | CVE-2014-1904
SHA-256 | 5eb5caff637b21acb3508f02276c5259beb463317ea4a478aa07494344d9cac9

Spring MVC 3.2.8 / 4.0.1 Cross Site Scripting

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2014-1904 XSS when using Spring MVC

Severity: Moderate

Vendor: Spring by Pivotal

Versions Affected:
- - Spring MVC 3.0.0 to 3.2.8
- - Spring MVC 4.0.0 to 4.0.1
- - Earlier unsupported versions may be affected

Description:
When a programmer does not specify the action on the Spring form, Spring
automatically populates the action field with the requested uri. An atacker can
use this to inject malicious content into the form.

Mitigation:
Users of affected versions should apply the following mitigation:
- - Users of 3.x should upgrade to 3.2.8 or later
- - Users of 4.x should upgrade to 4.0.2 or later

Credit:
This issue was discovered and reported responsibly to the Pivotal security team
by Paul Wowk of CAaNES LLC.

References:
https://jira.springsource.org/browse/SPR-11426
https://github.com/spring-projects/spring-framework/commit/741b4b229ae032bd17175b46f98673ce0bd2d485

History:
2014-Mar-11: Initial vulnerability report published.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32) - WinPT 1.2.0

iQIcBAEBAgAGBQJTH4RmAAoJEKSZXFdK82Xa9cgP/jrsKO2583HNfsIfglZxcnEY
YpKlCbqNeXzwEuACTJGdsilH57Q1mx7CuMGSBUjDi/ayiKfWmlhdZapkvVc8qdPC
2yUeYjKpj70MGedzWODMEPYdpM0bfqpmYep5HPioYA/jj3xQBrcZSQ1FAMCWzSTF
FWyqbkB3qO9F80Vs/E2wKbH/Qm4pEOiaxQg+moCut/RLHYlWKGRFt+ujqd7EUnzY
mGyeUR419F97pA2juF1GAh68R+z2mvwupPMCnc6naMPXtOuZoLZfAwJEoyqdQTyD
NpnKJfeF2PCAGSPT0tlvgyxsW08zVb6QQv2WvKcQMqyDYYqnMpedUK9ZmtykNXYo
ehQjRqSFy/amf+LPdJzYn8Z3bC49RLeOjkRNrWL2tj0gq9gn/PbZNcQxxT1u+z4C
md1TDdv8/N8M8GKc61exm1wnVedPHbanCeYc5g7+fkQm0qu0qmQzHmls3jRedWH2
XqHQ63w4/hpv/tD0YESK+wvXXAP359kqTUmJ3GOhYOAJ9+K4dxyCLXUIsfif4wTq
cJ6yubaLTMI50b+tzfxV0WsF+ez6MEyfXJoNXR8LfEOiTIUWC/5boslrAtAPKgpS
X+ISd4qHLj6AyjoqfBTLSpZecP4RNtxRPJsC04RgKx2yMIjxlO8nghu4z5xYe0L0
d/vOAj1idcQotv/g92jl
=msWo
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close