exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 5 of 5 RSS Feed

Files from Pivotal Security Team

Email addresssecurity at gopivotal.com
First Active2014-01-15
Last Active2014-03-12
Spring MVC 3.2.8 / 4.0.1 Cross Site Scripting
Posted Mar 12, 2014
Authored by Pivotal Security Team, Paul Wowk

Spring MVC suffers from a cross site scripting vulnerability. When a programmer does not specify the action on the Spring form, Spring automatically populates the action field with the requested uri. An attacker can use this to inject malicious content into the form. Versions 3.0.0 through 3.2.8 and 4.0.0 through 4.0.1 are affected.

tags | advisory, xss
advisories | CVE-2014-1904
SHA-256 | 5eb5caff637b21acb3508f02276c5259beb463317ea4a478aa07494344d9cac9
Spring Security 3.2.1 / 3.1.5 Authentication Bypass
Posted Mar 12, 2014
Authored by Pivotal Security Team

The ActiveDirectoryLdapAuthenticator does not check the password length in Spring Security. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password. Spring Security versions 3.2.0 through 3.2.1 and 3.1.0 through 3.1.5 are affected.

tags | advisory
advisories | CVE-2014-0097
SHA-256 | a6f710e75878a79eb3c98eb2f5253ae95ffd7b23d3f70f0cc3988a5e59e0213e
Spring MVC 3.2.8 / 4.0.1 Incomplete Fix
Posted Mar 12, 2014
Authored by Pivotal Security Team, Spase Markovski

Spring MVC's Jaxb2RootElementHttpMessageConverter also processed user provided XML and neither disabled XML external entities nor provided an option to disable them. Jaxb2RootElementHttpMessageConverter has been modified to provide an option to control the processing of XML external entities and that processing is now disabled by default. Versions 3.0.0 through 3.2.8 and 4.0.0 through 4.0.1 are affected.

tags | advisory, xxe
advisories | CVE-2014-0054, CVE-2013-4152, CVE-2013-6429
SHA-256 | 99a8ad7c850c897b9d19d09b3e771b91512dc689e5f940a3f5f0bfee478e8189
Spring JavaScriptUtils.javaScriptEscape() Escape Failure
Posted Jan 16, 2014
Authored by Pivotal Security Team

The JavaScriptUtils.javaScriptEscape() method did not escape all characters that are sensitive within either a JS single quoted string, JS double quoted string, or HTML script data context. In most cases this will result in an unexploitable parse error but in some cases it could result in a cross site scripting vulnerability. Spring MVC versions 3.0.0 through 3.2.1 are affected.

tags | advisory, xss
advisories | CVE-2013-6430
SHA-256 | 242790135a9927b7deb87c43607a629b3269e553eee7b7f28d9784435b870ce8
Spring XXE Injection Incomplete Fix
Posted Jan 15, 2014
Authored by Pivotal Security Team

The fix for the XXE injection vulnerability in Spring's framework was incomplete when addressing the issue outlined in CVE-2013-4152. Versions affected include Spring MVC 3.0.0 to 3.2.4 and Spring MVC 4.0.0.M1 to 4.0.0.RC1.

tags | advisory, xxe
advisories | CVE-2013-4152, CVE-2013-6429
SHA-256 | 173314b9e0698f8b4a1f988549c3ab83bb9af713cd2cc7374742743449dc9f25
Page 1 of 1
Back1Next

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close