[<prev] [next>] [day] [month] [year] [list]
Message-Id: <3ecd0851-c57c-47a4-9da2-2ee1d29b0e8d@gopivotal.com>
Date: Tue, 11 Mar 2014 14:47:55 -0700 (PDT)
From: Pivotal Security Team <security@...ivotal.com>
To: security@...ivotal.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: CVE-2014-1904 XSS when using Spring MVC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2014-1904 XSS when using Spring MVC
Severity: Moderate
Vendor: Spring by Pivotal
Versions Affected:
- - Spring MVC 3.0.0 to 3.2.8
- - Spring MVC 4.0.0 to 4.0.1
- - Earlier unsupported versions may be affected
Description:
When a programmer does not specify the action on the Spring form, Spring
automatically populates the action field with the requested uri. An atacker can
use this to inject malicious content into the form.
Mitigation:
Users of affected versions should apply the following mitigation:
- - Users of 3.x should upgrade to 3.2.8 or later
- - Users of 4.x should upgrade to 4.0.2 or later
Credit:
This issue was discovered and reported responsibly to the Pivotal security team
by Paul Wowk of CAaNES LLC.
References:
https://jira.springsource.org/browse/SPR-11426
https://github.com/spring-projects/spring-framework/commit/741b4b229ae032bd17175b46f98673ce0bd2d485
History:
2014-Mar-11: Initial vulnerability report published.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32) - WinPT 1.2.0
iQIcBAEBAgAGBQJTH4RmAAoJEKSZXFdK82Xa9cgP/jrsKO2583HNfsIfglZxcnEY
YpKlCbqNeXzwEuACTJGdsilH57Q1mx7CuMGSBUjDi/ayiKfWmlhdZapkvVc8qdPC
2yUeYjKpj70MGedzWODMEPYdpM0bfqpmYep5HPioYA/jj3xQBrcZSQ1FAMCWzSTF
FWyqbkB3qO9F80Vs/E2wKbH/Qm4pEOiaxQg+moCut/RLHYlWKGRFt+ujqd7EUnzY
mGyeUR419F97pA2juF1GAh68R+z2mvwupPMCnc6naMPXtOuZoLZfAwJEoyqdQTyD
NpnKJfeF2PCAGSPT0tlvgyxsW08zVb6QQv2WvKcQMqyDYYqnMpedUK9ZmtykNXYo
ehQjRqSFy/amf+LPdJzYn8Z3bC49RLeOjkRNrWL2tj0gq9gn/PbZNcQxxT1u+z4C
md1TDdv8/N8M8GKc61exm1wnVedPHbanCeYc5g7+fkQm0qu0qmQzHmls3jRedWH2
XqHQ63w4/hpv/tD0YESK+wvXXAP359kqTUmJ3GOhYOAJ9+K4dxyCLXUIsfif4wTq
cJ6yubaLTMI50b+tzfxV0WsF+ez6MEyfXJoNXR8LfEOiTIUWC/5boslrAtAPKgpS
X+ISd4qHLj6AyjoqfBTLSpZecP4RNtxRPJsC04RgKx2yMIjxlO8nghu4z5xYe0L0
d/vOAj1idcQotv/g92jl
=msWo
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists