CVE-2014-1904

CWE-79 — Cross-site Scripting (XSS)8 documents7 sources

Severity

4.3MEDIUM

EPSS

1.8%

top 17.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pivotal Software Spring Framework

Timeline

PublishedMar 20

Latest updateMay 14

Description

Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶Mavenorg.springframework:spring-webmvc3.0.0 — 3.2.8.RELEASE+1

▶NVDpivotal_software/spring_framework3.0.0 — 3.2.8+1

▶Debianlibspring-java< 3.0.6.RELEASE-13+3

Patches

Patch: www.gopivotal.com ↗Patch: github.com ↗Patch: www.gopivotal.com ↗

🔴Vulnerability Details

GHSA

Improper Neutralization of Input During Web Page Generation in Spring Framework↗2022-05-14

▶

OSV

Improper Neutralization of Input During Web Page Generation in Spring Framework↗2022-05-14

▶

OSV

CVE-2014-1904: Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag↗2014-03-20

▶

CVEList

CVE-2014-1904: Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag↗2014-03-20

▶

📋Vendor Advisories

Red Hat

Framework: cross-site scripting flaw when using Spring MVC↗2014-02-13

▶

Debian

CVE-2014-1904: libspring-java - Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java i...↗2014

▶

💬Community

Bugzilla

CVE-2014-1904 Spring Framework: cross-site scripting flaw when using Spring MVC↗2014-03-12

▶