Improper Neutralization of Input During Web Page Generation in Spring Framework

2022-05-1401:14:55

Google

osv.dev

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

65.7%

JSON

Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.

CPENameOperatorVersion
org.springframework:spring-webmvceq3.0.5.RELEASE
org.springframework:spring-webmvceq3.1.4.RELEASE
org.springframework:spring-webmvceq3.2.3.RELEASE
org.springframework:spring-webmvceq3.1.3.RELEASE
org.springframework:spring-webmvceq3.2.6.RELEASE
org.springframework:spring-webmvceq3.2.1.RELEASE
org.springframework:spring-webmvceq3.0.7.RELEASE
org.springframework:spring-webmvceq3.1.2.RELEASE
org.springframework:spring-webmvceq4.0.1.RELEASE
org.springframework:spring-webmvceq3.2.0.RELEASE

Name	Operator	Version
org.springframework:spring-webmvc	eq	3.0.5.RELEASE
org.springframework:spring-webmvc	eq	3.1.4.RELEASE
org.springframework:spring-webmvc	eq	3.2.3.RELEASE
org.springframework:spring-webmvc	eq	3.1.3.RELEASE
org.springframework:spring-webmvc	eq	3.2.6.RELEASE
org.springframework:spring-webmvc	eq	3.2.1.RELEASE
org.springframework:spring-webmvc	eq	3.0.7.RELEASE
org.springframework:spring-webmvc	eq	3.1.2.RELEASE
org.springframework:spring-webmvc	eq	4.0.1.RELEASE
org.springframework:spring-webmvc	eq	3.2.0.RELEASE