Skip to content

FormTag has XSS vulnerability [SPR-10484] #15117

Closed
@spring-projects-issues

Description

@spring-projects-issues

Mateusz Krzeszowiec opened SPR-10484 and commented

The form tag is vulnerable to XSS through the path. Although the query string is being escaped before being printed then the path is not escaped at all. This can lead to quite easily exploitable cross site scripting issue, sample attack vector could look like:
http://yourwebsite.com/text1/notescaped/text2/?escaped=escaped
where notescaped could be: /Company" onmouseover=prompt(12345689) bad="/somethinghere

or notescaped="><script>alert('pwned');</script>

The problem can be exploited when you're NOT specifying the action attribute.

The reference URL points out the line in which the path part of the URL (requestUri, at this point without query string yet) could be escaped.


Affects: 3.0 GA, 3.1 GA, 3.2 GA

Reference URL: https://github.com/SpringSource/spring-framework/blob/3.2.x/spring-webmvc/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java#L426

Attachments:

1 votes, 4 watchers

Metadata

Metadata

Assignees

Labels

in: webIssues in web modules (web, webmvc, webflux, websocket)

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions