CVE-2018-11039
Description
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
Risk Information
Base Score
5.9
MODERATE
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score
Exploitation Probability
2.602
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Multiple vulnerabilities are affected in Oracle WebLogic Server 10.3.6.0.0 | Windows |
| Multiple vulnerabilities are affected in Oracle WebLogic Server 12.1.3.0.0 | Windows |
| Multiple vulnerabilities are affected in Oracle WebLogic Server 12.2.1.3.0 | Windows |
| Vulnerabilities CVE-2018-11039 are fixed in Spring-web 5.0.7 | Windows |
| Vulnerabilities CVE-2018-11039 are fixed in Spring-web 4.3.18 | Windows |
| Multiple vulnerabilities are affected in Oracle Primavera P6 Enterprise Project Portfolio Management 18.8 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Controller 10.4.0 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Controller 10.4.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Controller 10.4.2 | Windows |
| Vulnerabilities CVE-2018-11039 are fixed in Spring-web for Linux 5.0.7 | Linux |
| Vulnerabilities CVE-2018-11039 are fixed in Spring-web for Linux 4.3.18 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234