Vulnerability Database

289,599

Total vulnerabilities in the database

CVE-2018-11039

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

CVSS v3:

  • Severity: Medium
  • Score: 5.9
  • AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

  • Severity: Low
  • Score: 4.3
  • AV:N/AC:M/Au:N/C:P/I:N/A:N

No CWE or OWASP classifications available.

Software From Fixed in
vmware / spring_framework 5.0.0 5.0.7
vmware / spring_framework - 4.3.18
oracle / retail_xstore_point_of_service 7.1 7.1.x
oracle / weblogic_server 12.1.3.0.0 12.1.3.0.0.x
oracle / application_testing_suite 12.5.0.3 12.5.0.3.x
oracle / hospitality_guest_access 4.2.0 4.2.0.x
oracle / hospitality_guest_access 4.2.1 4.2.1.x
oracle / weblogic_server 10.3.6.0.0 10.3.6.0.0.x
oracle / weblogic_server 12.2.1.3.0 12.2.1.3.0.x
oracle / enterprise_manager_ops_center 12.3.3 12.3.3.x
oracle / primavera_p6_enterprise_project_portfolio_management 18.8 18.8.x
oracle / endeca_information_discovery_integrator 3.2.0 3.2.0.x
oracle / endeca_information_discovery_integrator 3.1.0 3.1.0.x
oracle / application_testing_suite 13.1.0.1 13.1.0.1.x
oracle / application_testing_suite 13.2.0.1 13.2.0.1.x
oracle / application_testing_suite 13.3.0.1 13.3.0.1.x
oracle / communications_diameter_signaling_router - 8.3
oracle / communications_performance_intelligence_center - 10.2.1
oracle / insurance_rules_palette 10.0 10.0.x
oracle / insurance_rules_palette 10.2 10.2.x
oracle / communications_services_gatekeeper - 6.1.0.4.0
oracle / health_sciences_information_manager 3.0 3.0.x
oracle / healthcare_master_person_index 3.0 3.0.x
oracle / healthcare_master_person_index 4.0 4.0.x
oracle / insurance_calculation_engine 10.2 10.2.x
oracle / retail_customer_insights 15.0 15.0.x
oracle / retail_customer_insights 16.0 16.0.x
oracle / retail_predictive_application_server 16.0 16.0.x
oracle / enterprise_manager_for_mysql_database 13.2 13.2.x
oracle / retail_integration_bus 14.1.2 14.1.2.x
oracle / retail_assortment_planning 15.0 15.0.x
oracle / utilities_network_management_system 1.12.0.3 1.12.0.3.x
oracle / communications_online_mediation_controller 6.1 6.1.x
oracle / retail_clearance_optimization_engine 14.0.5 14.0.5.x
oracle / agile_plm 9.3.3 9.3.3.x
oracle / agile_plm 9.3.4 9.3.4.x
oracle / agile_plm 9.3.5 9.3.5.x
oracle / agile_plm 9.3.6 9.3.6.x
oracle / retail_assortment_planning 14.1 14.1.x
oracle / retail_assortment_planning 16.0 16.0.x
oracle / retail_financial_integration 13.2 13.2.x
oracle / retail_financial_integration 14.0 14.0.x
oracle / retail_financial_integration 14.1 14.1.x
oracle / retail_financial_integration 15.0 15.0.x
oracle / retail_financial_integration 16.0 16.0.x
oracle / micros_lucas 2.9.5 2.9.5.x
oracle / enterprise_manager_base_platform 13.2.0.0.0 13.2.0.0.0.x
oracle / enterprise_manager_base_platform 12.1.0.5.0 12.1.0.5.0.x
oracle / enterprise_manager_base_platform 13.3.0.0.0 13.3.0.0.0.x
oracle / communications_unified_inventory_management 7.3.2 7.3.2.x
oracle / communications_unified_inventory_management 7.3.4 7.3.4.x
oracle / communications_unified_inventory_management 7.3.5 7.3.5.x
oracle / communications_unified_inventory_management 7.4.0 7.4.0.x
oracle / mysql_enterprise_monitor - 3.4.9.4237.x
oracle / communications_network_integrity 7.3.2 7.3.6.x
oracle / retail_advanced_inventory_planning 15.0 15.0.x
oracle / insurance_calculation_engine 11.0.0 11.3.1.x
oracle / retail_markdown_optimization 13.4.4 13.4.4.x
oracle / retail_predictive_application_server 15.0.3..100 15.0.3..100.x
oracle / retail_predictive_application_server 14.1.3.37 14.1.3.37.x
oracle / retail_predictive_application_server 14.0.3.26 14.0.3.26.x
oracle / mysql_enterprise_monitor 8.0.0 8.0.2.8191.x
oracle / mysql_enterprise_monitor 4.0.0 4.0.6.5281.x
debian / debian_linux 9.0 9.0.x
org.springframework / spring-core 5.0.0 5.0.7
org.springframework / spring-core 4.3.0 4.3.18