Improper Neutralization of Input During Web Page Generation in Spring Framework

2022-05-0500:29:18

Google

osv.dev

0.001 Low

EPSS

Percentile

30.5%

JSON

The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket.

CPENameOperatorVersion
org.springframework:spring-webeq1.1
org.springframework:spring-webeq2.5.1
org.springframework:spring-webeq2.5.6.SEC02
org.springframework:spring-webeq2.0.3
org.springframework:spring-webeq2.0-m1
org.springframework:spring-webeq1.2
org.springframework:spring-webeq2.0.8
org.springframework:spring-webeq3.1.2.RELEASE
org.springframework:spring-webeq1.1-rc1
org.springframework:spring-webeq1.2.6

Name	Operator	Version
org.springframework:spring-web	eq	1.1
org.springframework:spring-web	eq	2.5.1
org.springframework:spring-web	eq	2.5.6.SEC02
org.springframework:spring-web	eq	2.0.3
org.springframework:spring-web	eq	2.0-m1
org.springframework:spring-web	eq	1.2
org.springframework:spring-web	eq	2.0.8
org.springframework:spring-web	eq	3.1.2.RELEASE
org.springframework:spring-web	eq	1.1-rc1
org.springframework:spring-web	eq	1.2.6