Search for packages
| purl | pkg:maven/org.springframework/spring-oxm@3.1.0.RELEASE |
| Next non-vulnerable version | 4.2.9.RELEASE |
| Latest non-vulnerable version | 5.2.9.RELEASE |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-asmf-3c71-gqcb
Aliases: CVE-2013-6430 GHSA-xjrf-8x4f-43h4 |
The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket. |
Affected by 4 other vulnerabilities. |
|
VCID-e7xv-sdvz-g7e4
Aliases: CVE-2013-4152 GHSA-rp4p-g69r-438x |
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-eer8-apxc-2ue6
Aliases: CVE-2013-7315 GHSA-vp63-rrcm-9mph |
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions. |
Affected by 2 other vulnerabilities. |
|
VCID-r384-aque-vqcw
Aliases: CVE-2014-0225 GHSA-f93f-g33r-8pcp |
When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-y3uz-etva-sufh
Aliases: CVE-2020-5421 GHSA-rv39-3qh7-9v7w |
Improper Input Validation in Spring Framework In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||