CVE-2013-4152

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in...

CVE-2013-4152

CVE-2013-4152 affects Spring Framework: the SourceHttpMessageConverter in Spring MVC with JAXB marshaller does not disable external entity resolution, enabling XXE to read files, cause DoS, and CSRF via XXE in DOMSource/StAXSource/SAXSource/StreamSource. Affected: Spring Framework pre-3.2.4 and 4...

CVE-2013-7315

CVE-2013-7315 affects Spring Framework’s Spring MVC: the SourceHttpMessageConverter (and related XML processing) fails to disable external entity resolution in the StAX XMLInputFactory for certain versions (Spring Framework before 3.2.4 and 4.0.0.M1–4.0.0.M2). This XXE condition allows context-de...

CVE-2013-4152

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in...

CVE-2013-6429 Fix for XML External Entity (XXE) injection (CVE-2013-4152) in Spring Framework was incomplete

Severity: Important Vendor: Spring by Pivotal Versions Affected: - Spring MVC 3.0.0 to 3.2.4 - Spring MVC 4.0.0.M1-4.0.0.RC1 - Earlier unsupported versions may be affected Description: Spring MVC's SourceHttpMessageConverter also processed user provided XML and neither disabled XML external...

Debian DSA-2842-1 : libspring-java - denial of service

Alvaro Munoz discovered a XML External Entity XXE injection in the Spring Framework which can be used for conducting CSRF and DoS attacks on other sites. The Spring OXM wrapper did not expose any property for disabling entity resolution when using the JAXB unmarshaller. There are four possible...

[SECURITY] [DSA 2842-1] libspring-java security update

------------------------------------------------------------------------- Debian Security Advisory DSA-2842-1 [email protected] http://www.debian.org/security/ Markus Koschany January 13, 2014 http://www.debian.org/security/faq -...

Debian Security Advisory DSA 2842-1 (libspring-java - denial of service)

Alvaro Munoz discovered a XML External Entity XXE injection in the Spring Framework which can be used for conducting CSRF and DoS attacks on other sites. The Spring OXM wrapper did not expose any property for disabling entity resolution when using the JAXB unmarshaller. There are four possible...

DSA-2842-1 libspring-java - several

Bulletin has no description...

Debian: Security Advisory (DSA-2842-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2014 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

[SECURITY] Fedora 18 Update: php-symfony2-Security-2.2.10-1.fc18

Security provides an infrastructure for sophisticated authorization systems, which makes it possible to easily separate the actual authorization logic f rom so called user providers that hold the users credentials. It is inspired by the Java Spring framework...

XXE Injection in Spring Framework

Hello! I'll give you additional information concerning advisory XML External Entity XXE Injection in Spring Framework http://securityvulns.ru/docs29758.html. ------------------------- Affected products: ------------------------- - 3.0.0 to 3.2.3 Spring OXM & Spring MVC - 4.0.0.M1 Spring OXM -...

CVE-2013-5979

Directory traversal vulnerability in Spring Signage Xibo 1.2.x before 1.2.3 and 1.4.x before 1.4.2 allows remote attackers to read arbitrary files via a .. dot dot in the p parameter to index.php...

Directory traversal

Directory traversal vulnerability in Spring Signage Xibo 1.2.x before 1.2.3 and 1.4.x before 1.4.2 allows remote attackers to read arbitrary files via a .. dot dot in the p parameter to index.php...

CVE-2013-5979

The CVE-2013-5979 issue affects Spring Signage Xibo 1.2.x (pre-1.2.3) and 1.4.x (pre-1.4.2). A directory traversal flaw allows remote attackers to read arbitrary files by supplying a .. in the p parameter to index.php. Impact: potential exposure of sensitive server files. Root cause: insufficient...

PT-2013-5900

Name of the Vulnerable Software and Affected Versions Spring Signage Xibo versions 1.2.x through 1.2.2 Spring Signage Xibo versions 1.4.x through 1.4.1 Description The issue allows remote attackers to read arbitrary files. This is achieved by using a .. dot dot in the p parameter to the "index.ph...

CVE-2013-4152 XML External Entity (XXE) injection in Spring Framework

Severity: Important Vendor: Spring by Pivotal Versions Affected: - 3.0.0 to 3.2.3 Spring OXM & Spring MVC - 4.0.0.M1 Spring OXM - 4.0.0.M1-4.0.0.M2 Spring MVC - Earlier unsupported versions may also be affected Description: The Spring OXM wrapper did not expose any property for disabling entity...

Spring Framework多个XML实体引用信息泄露漏洞

No description provided by source...

Xibo 1.2.21.4.1 - index.php?p Directory Traversal

Xibo 1.2.21.4.1 - index.php?p Directory Traversal Exploit Title: Xibo Directory Traversal Vulnerability Exploit Author: Mahendra Date: 2 April 2013 Vendor homepage: http://xibo.org.uk References:...

Xibo 1.2.2 and 1.4.1 Directory Traversal Vulnerability

Exploit for php platform in category web applications Exploit Title: Xibo Directory Traversal Vulnerability Exploit Author: Mahendra Date: 2 April 2013 Vendor homepage: http://xibo.org.uk References:...