VulnerableCode Package Details - pkg:maven/org.springframework/spring-webmvc@3.0.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-ajex-5x84-8ygb Aliases: CVE-2014-1904 GHSA-ff7p-jqjm-v66h	Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.	3.2.8.RELEASE Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 4.0.2.RELEASE Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-asmf-3c71-gqcb Aliases: CVE-2013-6430 GHSA-xjrf-8x4f-43h4	The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket.	3.2.2.RELEASE Affected by 10 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-r384-aque-vqcw Aliases: CVE-2014-0225 GHSA-f93f-g33r-8pcp	When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.	3.2.8 Affected by 0 other vulnerabilities. 3.2.8.RELEASE Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 4.0.5 Affected by 0 other vulnerabilities. 4.0.5.RELEASE Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-ajex-5x84-8ygb
Aliases:
CVE-2014-1904
GHSA-ff7p-jqjm-v66h

Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.

3.2.8.RELEASE
Affected by 7 other vulnerabilities.

4.0.2.RELEASE
Affected by 7 other vulnerabilities.

VCID-asmf-3c71-gqcb
Aliases:
CVE-2013-6430
GHSA-xjrf-8x4f-43h4

The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket.

3.2.2.RELEASE
Affected by 10 other vulnerabilities.

VCID-r384-aque-vqcw
Aliases:
CVE-2014-0225
GHSA-f93f-g33r-8pcp

When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.

3.2.8
Affected by 0 other vulnerabilities.

3.2.8.RELEASE
Affected by 7 other vulnerabilities.

4.0.5
Affected by 0 other vulnerabilities.

4.0.5.RELEASE
Affected by 5 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-04T14:30:27.863199+00:00	GHSA Importer	Affected by	VCID-ajex-5x84-8ygb	https://github.com/advisories/GHSA-ff7p-jqjm-v66h	38.1.0
2026-04-02T12:36:18.293901+00:00	GitLab Importer	Affected by	VCID-asmf-3c71-gqcb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-webmvc/CVE-2013-6430.yml	38.0.0
2026-04-01T16:00:51.444271+00:00	GHSA Importer	Affected by	VCID-r384-aque-vqcw	https://github.com/advisories/GHSA-f93f-g33r-8pcp	38.0.0
2026-04-01T12:50:18.338102+00:00	GitLab Importer	Affected by	VCID-r384-aque-vqcw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-webmvc/CVE-2014-0225.yml	38.0.0