seeing is believing
Showing 1 - 5 of 5 RSS Feed

Files from Pivotal Security Team

Email addresssecurity at gopivotal.com
First Active2014-01-15
Last Active2014-03-12
Spring MVC 3.2.8 / 4.0.1 Cross Site Scripting
Posted Mar 12, 2014
Authored by Pivotal Security Team, Paul Wowk

Spring MVC suffers from a cross site scripting vulnerability. When a programmer does not specify the action on the Spring form, Spring automatically populates the action field with the requested uri. An attacker can use this to inject malicious content into the form. Versions 3.0.0 through 3.2.8 and 4.0.0 through 4.0.1 are affected.

tags | advisory, xss
advisories | CVE-2014-1904
MD5 | 8e45e90462d51aa79ab07c314995f4ce
Spring Security 3.2.1 / 3.1.5 Authentication Bypass
Posted Mar 12, 2014
Authored by Pivotal Security Team

The ActiveDirectoryLdapAuthenticator does not check the password length in Spring Security. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password. Spring Security versions 3.2.0 through 3.2.1 and 3.1.0 through 3.1.5 are affected.

tags | advisory
advisories | CVE-2014-0097
MD5 | 16fb94e6372ab02b5b7a34920316ee44
Spring MVC 3.2.8 / 4.0.1 Incomplete Fix
Posted Mar 12, 2014
Authored by Pivotal Security Team, Spase Markovski

Spring MVC's Jaxb2RootElementHttpMessageConverter also processed user provided XML and neither disabled XML external entities nor provided an option to disable them. Jaxb2RootElementHttpMessageConverter has been modified to provide an option to control the processing of XML external entities and that processing is now disabled by default. Versions 3.0.0 through 3.2.8 and 4.0.0 through 4.0.1 are affected.

tags | advisory
advisories | CVE-2014-0054, CVE-2013-4152, CVE-2013-6429
MD5 | 1980eaf30d0f1250b46ce44e4a77d587
Spring JavaScriptUtils.javaScriptEscape() Escape Failure
Posted Jan 16, 2014
Authored by Pivotal Security Team

The JavaScriptUtils.javaScriptEscape() method did not escape all characters that are sensitive within either a JS single quoted string, JS double quoted string, or HTML script data context. In most cases this will result in an unexploitable parse error but in some cases it could result in a cross site scripting vulnerability. Spring MVC versions 3.0.0 through 3.2.1 are affected.

tags | advisory, xss
advisories | CVE-2013-6430
MD5 | 7f8e24b87327b778c2e67cacf4da863f
Spring XXE Injection Incomplete Fix
Posted Jan 15, 2014
Authored by Pivotal Security Team

The fix for the XXE injection vulnerability in Spring's framework was incomplete when addressing the issue outlined in CVE-2013-4152. Versions affected include Spring MVC 3.0.0 to 3.2.4 and Spring MVC 4.0.0.M1 to 4.0.0.RC1.

tags | advisory
advisories | CVE-2013-4152, CVE-2013-6429
MD5 | 4abbcfb4e619444ff74e9294573030a3
Page 1 of 1
Back1Next

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close