Spring Web Flow
Monthly
Reflected XSS in Spring Web Flow's JavaScript RemotingHandler allows an authenticated attacker to inject and execute arbitrary scripts in a victim's browser by embedding malicious content in input that the server reflects within error response bodies. The RemotingHandler renders these error bodies as HTML regardless of the declared Content-Type, bypassing MIME-type enforcement. Affected versions span the 2.5.x, 3.0.x, and 4.0.0 release lines; no public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Expression Language Injection in Spring Web Flow exposes applications explicitly configured with WebFlowELExpressionParser to evaluation of malicious Unified EL expressions submitted by authenticated low-privilege users. Affected versions span the 2.5.x, 3.0.x, and 4.0.0 release lines; exploitation requires both non-default configuration and user interaction, which meaningfully constrains real-world risk despite the High confidentiality and integrity impact ratings. No public exploit code and no CISA KEV listing have been identified at time of analysis.
An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.
An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 75.4%.
Reflected XSS in Spring Web Flow's JavaScript RemotingHandler allows an authenticated attacker to inject and execute arbitrary scripts in a victim's browser by embedding malicious content in input that the server reflects within error response bodies. The RemotingHandler renders these error bodies as HTML regardless of the declared Content-Type, bypassing MIME-type enforcement. Affected versions span the 2.5.x, 3.0.x, and 4.0.0 release lines; no public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Expression Language Injection in Spring Web Flow exposes applications explicitly configured with WebFlowELExpressionParser to evaluation of malicious Unified EL expressions submitted by authenticated low-privilege users. Affected versions span the 2.5.x, 3.0.x, and 4.0.0 release lines; exploitation requires both non-default configuration and user interaction, which meaningfully constrains real-world risk despite the High confidentiality and integrity impact ratings. No public exploit code and no CISA KEV listing have been identified at time of analysis.
An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.
An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 75.4%.