Vulnerability Description
The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pivotal Software | Spring Framework | >= 3.0.0, < 3.2.2 |
Related Weaknesses (CWE)
References
- http://www.gopivotal.com/security/cve-2013-6430Third Party Advisory
- https://github.com/spring-projects/spring-framework/commit/7a7df6637478607bef027PatchThird Party Advisory
- https://jira.springsource.org/browse/SPR-9983Third Party Advisory
- http://www.gopivotal.com/security/cve-2013-6430Third Party Advisory
- https://github.com/spring-projects/spring-framework/commit/7a7df6637478607bef027PatchThird Party Advisory
- https://jira.springsource.org/browse/SPR-9983Third Party Advisory
FAQ
What is CVE-2013-6430?
CVE-2013-6430 is a vulnerability with a CVSS score of 5.4 (MEDIUM). The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers t...
How severe is CVE-2013-6430?
CVE-2013-6430 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2013-6430?
Check the references section above for vendor advisories and patch information. Affected products include: Pivotal Software Spring Framework.