-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2014-1904 XSS when using Spring MVC Severity: Moderate Vendor: Spring by Pivotal Versions Affected: - - Spring MVC 3.0.0 to 3.2.8 - - Spring MVC 4.0.0 to 4.0.1 - - Earlier unsupported versions may be affected Description: When a programmer does not specify the action on the Spring form, Spring automatically populates the action field with the requested uri. An atacker can use this to inject malicious content into the form. Mitigation: Users of affected versions should apply the following mitigation: - - Users of 3.x should upgrade to 3.2.8 or later - - Users of 4.x should upgrade to 4.0.2 or later Credit: This issue was discovered and reported responsibly to the Pivotal security team by Paul Wowk of CAaNES LLC. References: https://jira.springsource.org/browse/SPR-11426 https://github.com/spring-projects/spring-framework/commit/741b4b229ae032bd17175b46f98673ce0bd2d485 History: 2014-Mar-11: Initial vulnerability report published. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) - WinPT 1.2.0 iQIcBAEBAgAGBQJTH4RmAAoJEKSZXFdK82Xa9cgP/jrsKO2583HNfsIfglZxcnEY YpKlCbqNeXzwEuACTJGdsilH57Q1mx7CuMGSBUjDi/ayiKfWmlhdZapkvVc8qdPC 2yUeYjKpj70MGedzWODMEPYdpM0bfqpmYep5HPioYA/jj3xQBrcZSQ1FAMCWzSTF FWyqbkB3qO9F80Vs/E2wKbH/Qm4pEOiaxQg+moCut/RLHYlWKGRFt+ujqd7EUnzY mGyeUR419F97pA2juF1GAh68R+z2mvwupPMCnc6naMPXtOuZoLZfAwJEoyqdQTyD NpnKJfeF2PCAGSPT0tlvgyxsW08zVb6QQv2WvKcQMqyDYYqnMpedUK9ZmtykNXYo ehQjRqSFy/amf+LPdJzYn8Z3bC49RLeOjkRNrWL2tj0gq9gn/PbZNcQxxT1u+z4C md1TDdv8/N8M8GKc61exm1wnVedPHbanCeYc5g7+fkQm0qu0qmQzHmls3jRedWH2 XqHQ63w4/hpv/tD0YESK+wvXXAP359kqTUmJ3GOhYOAJ9+K4dxyCLXUIsfif4wTq cJ6yubaLTMI50b+tzfxV0WsF+ez6MEyfXJoNXR8LfEOiTIUWC/5boslrAtAPKgpS X+ISd4qHLj6AyjoqfBTLSpZecP4RNtxRPJsC04RgKx2yMIjxlO8nghu4z5xYe0L0 d/vOAj1idcQotv/g92jl =msWo -----END PGP SIGNATURE-----