Vulnerabilities > Pivotal Software > Spring Framework

DATE CVE VULNERABILITY TITLE RISK
2020-01-10 CVE-2013-6430 Cross-site Scripting vulnerability in Pivotal Software Spring Framework
The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket.
network
low complexity
pivotal-software CWE-79
5.4
2017-05-25 CVE-2016-5007 Permissions, Privileges, and Access Controls vulnerability in multiple products
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively.
network
low complexity
pivotal-software vmware CWE-264
7.5
2017-05-25 CVE-2014-0225 XXE vulnerability in multiple products
When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration.
network
low complexity
pivotal-software vmware CWE-611
8.8
2016-12-29 CVE-2016-9878 Path Traversal vulnerability in multiple products
An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5.
network
low complexity
pivotal-software vmware CWE-22
7.5
2016-07-12 CVE-2015-3192 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.
5.5