Showing 1 - 5 of 5

Files from Pivotal Security Team

Spring MVC 3.2.8 / 4.0.1 Cross Site Scripting: Posted Mar 12, 2014; Authored by Pivotal Security Team, Paul Wowk; Spring MVC suffers from a cross site scripting vulnerability. When a programmer does not specify the action on the Spring form, Spring automatically populates the action field with the requested uri. An attacker can use this to inject malicious content into the form. Versions 3.0.0 through 3.2.8 and 4.0.0 through 4.0.1 are affected.; tags | advisory, xss; advisories | CVE-2014-1904; SHA-256 | 5eb5caff637b21acb3508f02276c5259beb463317ea4a478aa07494344d9cac9; Download | Favorite | View

Spring Security 3.2.1 / 3.1.5 Authentication Bypass: Posted Mar 12, 2014; Authored by Pivotal Security Team; The ActiveDirectoryLdapAuthenticator does not check the password length in Spring Security. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password. Spring Security versions 3.2.0 through 3.2.1 and 3.1.0 through 3.1.5 are affected.; tags | advisory; advisories | CVE-2014-0097; SHA-256 | a6f710e75878a79eb3c98eb2f5253ae95ffd7b23d3f70f0cc3988a5e59e0213e; Download | Favorite | View

Spring MVC 3.2.8 / 4.0.1 Incomplete Fix: Posted Mar 12, 2014; Authored by Pivotal Security Team, Spase Markovski; Spring MVC's Jaxb2RootElementHttpMessageConverter also processed user provided XML and neither disabled XML external entities nor provided an option to disable them. Jaxb2RootElementHttpMessageConverter has been modified to provide an option to control the processing of XML external entities and that processing is now disabled by default. Versions 3.0.0 through 3.2.8 and 4.0.0 through 4.0.1 are affected.; tags | advisory, xxe; advisories | CVE-2014-0054, CVE-2013-4152, CVE-2013-6429; SHA-256 | 99a8ad7c850c897b9d19d09b3e771b91512dc689e5f940a3f5f0bfee478e8189; Download | Favorite | View

Spring JavaScriptUtils.javaScriptEscape() Escape Failure: Posted Jan 16, 2014; Authored by Pivotal Security Team; The JavaScriptUtils.javaScriptEscape() method did not escape all characters that are sensitive within either a JS single quoted string, JS double quoted string, or HTML script data context. In most cases this will result in an unexploitable parse error but in some cases it could result in a cross site scripting vulnerability. Spring MVC versions 3.0.0 through 3.2.1 are affected.; tags | advisory, xss; advisories | CVE-2013-6430; SHA-256 | 242790135a9927b7deb87c43607a629b3269e553eee7b7f28d9784435b870ce8; Download | Favorite | View

Spring XXE Injection Incomplete Fix: Posted Jan 15, 2014; Authored by Pivotal Security Team; The fix for the XXE injection vulnerability in Spring's framework was incomplete when addressing the issue outlined in CVE-2013-4152. Versions affected include Spring MVC 3.0.0 to 3.2.4 and Spring MVC 4.0.0.M1 to 4.0.0.RC1.; tags | advisory, xxe; advisories | CVE-2013-4152, CVE-2013-6429; SHA-256 | 173314b9e0698f8b4a1f988549c3ab83bb9af713cd2cc7374742743449dc9f25; Download | Favorite | View

Page 1 of 1 Back 1 Next

Top Authors In Last 30 Days