Fluid Attacks Database

Description

Improper Neutralization of Input During Web Page Generation in Spring Framework The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	libspring-java	>=0 <3.0.6.release-11	3.0.6.release-11
maven	org.springframework:spring-webmvc	>=3.0.0 <3.2.2	3.2.2.release
debian 12	libspring-java	>=0 <3.0.6.release-11	3.0.6.release-11
debian 13	libspring-java	>=0 <3.0.6.release-11	3.0.6.release-11
debian 14	libspring-java	>=0 <3.0.6.release-11	3.0.6.release-11
maven	org.springframework:spring-web	>=0 <3.2.2.release	3.2.2.release
maven	org.springframework:spring-oxm	>=3.0.0 <3.2.2	3.2.2.release

Aliases

1. CVE-2013-64302. NVD-2013-64303. OSV-DEBIAN-2013-64304. OSV-2013-64305. GCVE-2013-64306. SECURITY-TRACKER-CVE-2013-64307. GOPIVOTAL-cve-2013-64308. BUGZILLA-CVE-2013-6430

References

1. https://github.com/spring-projects/spring-framework/issues/146172. https://github.com/spring-projects/spring-framework/commit/7a7df6637478607bef0277bf52a4e0a03e20a2483. https://github.com/spring-projects/spring-framework/commit/9982b4c01a8c7be0961e58b58ed83731c40449ff4. https://github.com/spring-projects/spring-framework/commit/f5c9fe69a444607af667911bd4c5074b5b073e7b5. https://jira.spring.io/browse/SPR-9983?redirect=false6. https://spring.io/security/cve-2013-6430