CVSS: 9.6EPSS: 2%CPEs: 36EXPL: 1CVE-2015-5211
https://notcve.org/view.php?id=CVE-2015-5211
25 May 2017 — Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response. En algunas situaciones, el Framework Spring versiones 4.2.0 hasta 4.2.1, versiones 4.0.0 hasta 4.1.7, versiones 3.2.0 hasta 3.2... • https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 7.5EPSS: 5%CPEs: 32EXPL: 0CVE-2016-9878 – Framework: Directory Traversal in the Spring Framework ResourceServlet
https://notcve.org/view.php?id=CVE-2016-9878
29 Dec 2016 — An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks. Un problema fue descubierto en Pivotal Spring Framework en versiones anteriores a 3.2.18, 4.2.x en versiones anteriores a 4.2.9 y 4.3.x en versiones anteriores a 4.3.5. Las rutas proporcionadas al ResourceServlet no fueron desinfectadas adecuadamente y como resultado expuestas a... • http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.5EPSS: 1%CPEs: 23EXPL: 0CVE-2015-3192 – Framework: denial-of-service attack with XML input
https://notcve.org/view.php?id=CVE-2015-3192
09 Jun 2016 — Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file. Pivotal Spring Framework en versiones anteriores a 3.2.14 y 4.x en versiones anteriores a 4.1.7 no procesa correctamente las declaraciones DTD en línea cuando DTD no está completamente desactivado, lo que permite a atacantes remotos provoca... • http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162015.html • CWE-20: Improper Input Validation CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0CVE-2015-0201
https://notcve.org/view.php?id=CVE-2015-0201
10 Mar 2015 — The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors. El cliente Java SockJS en Pivotal Spring Framework 4.1.x anterior a 4.1.5 genera identificadores de sesiones previsibles, lo que permite a atacantes remotos enviar mensajes a otras sesiones a través de vectores no especificados. • https://pivotal.io/security/cve-2015-0201 • CWE-254: 7PK - Security Features •
CVSS: 5.3EPSS: 5%CPEs: 2EXPL: 0CVE-2014-3578 – Framework: Directory traversal
https://notcve.org/view.php?id=CVE-2014-3578
17 Feb 2015 — Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL. Vulnerabilidad de salto de directorio en Pivotal Spring Framework 3.x anterior a 3.2.9 y 4.0 anterior a 4.0.5 permite a atacantes remotos leer ficheros arbitrarios a través de una URL arbitraria. A directory traversal flaw was found in the Spring Framework. A remote attacker could use this flaw to access arbitrary files on a server, and bypass... • http://jvn.jp/en/jp/JVN49154900/index.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 22%CPEs: 5EXPL: 2CVE-2014-3625 – Framework: directory traversal flaw
https://notcve.org/view.php?id=CVE-2014-3625
20 Nov 2014 — Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling. Vulnerabilidad de salto de directorio (Directory Traversal) en Pivotal Spring Framework versión 3.0.4 hasta 3.2.x anterior a 3.2.12, versión 4.0.x anterior a 4.0.8 y versión 4.1.x anterior a 4.1.2, permite a atacantes remotos leer archivos arbitrarios por medio ... • https://github.com/ilmila/springcss-cve-2014-3625 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 34EXPL: 0CVE-2014-0225 – Framework: Information disclosure via SSRF
https://notcve.org/view.php?id=CVE-2014-0225
02 Oct 2014 — When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack. Al procesar un documento XML proporcionado por el usuario, el Framework Spring, versiones de la 4.0.0 a la 4.0.4 y de la 3.0.0 a la 3.2.8 y otras versiones anteriores ya no soportadas, no desactiva por defecto la resolución de las referencias URI en una declarac... • https://pivotal.io/security/cve-2014-0225 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 4.3EPSS: 2%CPEs: 2EXPL: 0CVE-2014-1904 – Framework: cross-site scripting flaw when using Spring MVC
https://notcve.org/view.php?id=CVE-2014-1904
12 Mar 2014 — Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action. Vulnerabilidad de XSS en web/servlet/tags/form/FormTag.java en Spring MVC en Spring Framework 3.0.0 anterior a 3.2.8 y 4.0.0 anterior a 4.0.2 permite a atacantes remotos inyectar script Web o HTML arbitrarios a través de la URI solicitada en una acció... • http://docs.spring.io/spring/docs/3.2.8.RELEASE/changelog.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 79%CPEs: 34EXPL: 0CVE-2014-0054 – Framework: incomplete fix for CVE-2013-7315/CVE-2013-6429
https://notcve.org/view.php?id=CVE-2014-0054
12 Mar 2014 — The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429. Jaxb2RootElementHttpMessageConverter en Spring MVC en Spring Framework anterio... • http://rhn.redhat.com/errata/RHSA-2014-0400.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.8EPSS: 0%CPEs: 28EXPL: 1CVE-2013-7315
https://notcve.org/view.php?id=CVE-2013-7315
23 Jan 2014 — The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions. El Spring MVC en Spring Framework anterior ... • http://seclists.org/bugtraq/2013/Aug/154 • CWE-264: Permissions, Privileges, and Access Controls •