6504 matches found
Spring Framework vulnerable to directory traversal
Overview Spring Framework is a Java framework for developing web applications. Spring Framework contains a directory traversal vulnerability. Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer under Informatio...
JVN#49154900: Spring Framework vulnerable to directory traversal
Spring Framework is a Java framework for developing web applications. Spring Framework contains a directory traversal vulnerability. Impact A remote attacker may be able to access arbitrary files on the server. Solution Update the software Users of 3.x should update to version 3.2.9 or later and...
CVE-2014-0097 Spring Security Blank password may bypass user authentication
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2014-0097 Blank password may bypass user authentication Severity: Important Vendor: Spring by Pivotal Versions Affected: - - Spring Security 3.2.0 to 3.2.1 - - Spring Security 3.1.0 to 3.1.5 Description: The ActiveDirectoryLdapAuthenticator does n...
CVE-2014-1904 XSS when using Spring MVC
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2014-1904 XSS when using Spring MVC Severity: Moderate Vendor: Spring by Pivotal Versions Affected: - - Spring MVC 3.0.0 to 3.2.8 - - Spring MVC 4.0.0 to 4.0.1 - - Earlier unsupported versions may be affected Description: When a programmer does no...
CVE-2014-0054 Spring MVC Incomplete fix for CVE-2013-4152 / CVE-2013-6429 (XXE)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2014-0054 Incomplete fix for CVE-2013-4152 / CVE-2013-6429 XXE Severity: Important Vendor: Spring by Pivotal Versions Affected: - - Spring MVC 3.0.0 to 3.2.8 - - Spring MVC 4.0.0 to 4.0.1 - - Earlier unsupported versions may be affected Descriptio...
CVE-2014-0054
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML Extern...
CVE-2014-0054
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML Extern...
DEBIAN-CVE-2014-0054
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML Extern...
CVE-2014-0054
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML Extern...
UBUNTU-CVE-2014-0054
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML Extern...
Xxe
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML Extern...
CVE-2014-0054
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML Extern...
CVE-2014-0054
CVE-2014-0054 is a XXE in Spring Framework’s Jaxb2RootElementHttpMessageConverter used by Spring MVC. Affected: Spring Framework before 3.2.8 and before 4.0.2 (specifically 4.0.0–4.0.2). Root cause: external entity resolution not disabled, allowing remote attackers to read arbitrary files, cause ...
CVE-2014-0054
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML Extern...
Moderate: Red Hat Security Advisory: Red Hat JBoss Fuse 6.1.0 update
Red Hat JBoss Fuse 6.1.0, which fixes multiple security issues, several bugs, and adds various enhancements, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System CVSS bas...
Framework: cross-site scripting flaw when using Spring MVC
Cross-site scripting XSS vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action...
Framework: XML External Entity (XXE) injection flaw
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External...
Framework: incomplete fix for CVE-2013-7315/CVE-2013-6429
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML Extern...
Framework: XML External Entity (XXE) injection flaw
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in...
Framework: org.spring.web.util.JavaScriptUtils.javaScriptEscape insufficient escaping of characters
The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting XSS attacks via a 1 line separator or 2 paragraph separator Unicod...