CVE-2013-6430 - Vulnerability Details - OpenCVE

The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00337.

Key SSVC decision points have not yet been added.

Vendors	Products
Pivotal Software	Spring Framework
Redhat	Jboss Amq Jboss Fuse

Configuration 1 [-]

cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat JBoss A-MQ 6.1
	cpe:/a:redhat:jboss_amq:6.1.0	RHSA-2014:0401	2014-04-14T00:00:00Z
Red Hat JBoss Fuse 6.1
	cpe:/a:redhat:jboss_fuse:6.1.0	RHSA-2014:0400	2014-04-14T00:00:00Z

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://www.gopivotal.com/security/cve-2013-6430
https://github.com/spring-projects/spring-framework/commit/7a7df6637478607bef0277bf52a4e0a03e20a248
https://jira.springsource.org/browse/SPR-9983
https://nvd.nist.gov/vuln/detail/CVE-2013-6430
https://www.cve.org/CVERecord?id=CVE-2013-6430

History

Wed, 16 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00337}`	epss `{'score': 0.00347}`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2020-01-10T13:28:11

Updated: 2024-08-06T17:39:01.262Z

Reserved: 2013-11-04T00:00:00

Link: CVE-2013-6430

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-01-10T14:15:10.107

Modified: 2024-11-21T01:59:12.620

Link: CVE-2013-6430

Redhat

Severity : Moderate

Publid Date: 2014-01-14T00:00:00Z

Links: CVE-2013-6430 - Bugzilla

OpenCVE Enrichment

No data.

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "D6D96828-BF24-4B0D-96B7-258723AAD3D9", "versionEndExcluding": "3.2.2", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket."}, {"lang": "es", "value": "El m\u00e9todo JavaScriptUtils.javaScriptEscape en el archivo web/util/JavaScriptUtils.java en Spring MVC en Spring Framework versiones anteriores a la versi\u00f3n 3.2.2 no escapa correctamente a determinados caracteres, lo que permite a atacantes remotos llevar a cabo ataques de tipo cross-site scripting (XSS) por medio de una (1) separador de l\u00ednea o (2) car\u00e1cter Unicode separador de p\u00e1rrafo o corchete angular (3) izquierdo o (4) derecho."}], "id": "CVE-2013-6430", "lastModified": "2024-11-21T01:59:12.620", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-01-10T14:15:10.107", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://www.gopivotal.com/security/cve-2013-6430"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/spring-projects/spring-framework/commit/7a7df6637478607bef0277bf52a4e0a03e20a248"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://jira.springsource.org/browse/SPR-9983"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.gopivotal.com/security/cve-2013-6430"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/spring-projects/spring-framework/commit/7a7df6637478607bef0277bf52a4e0a03e20a248"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://jira.springsource.org/browse/SPR-9983"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "This issue was discovered by Arun Neelicattu (Red Hat Security Response Team) and Jon Passki (Coverity SRL).", "affected_release": [{"advisory": "RHSA-2014:0401", "cpe": "cpe:/a:redhat:jboss_amq:6.1.0", "product_name": "Red Hat JBoss A-MQ 6.1", "release_date": "2014-04-14T00:00:00Z"}, {"advisory": "RHSA-2014:0400", "cpe": "cpe:/a:redhat:jboss_fuse:6.1.0", "product_name": "Red Hat JBoss Fuse 6.1", "release_date": "2014-04-14T00:00:00Z"}], "bugzilla": {"description": "Framework: org.spring.web.util.JavaScriptUtils.javaScriptEscape insufficient escaping of characters", "id": "1039783", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1039783"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "status": "verified"}, "details": ["The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket."], "name": "CVE-2013-6430", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:4", "fix_state": "Will not fix", "package_name": "spring", "product_name": "Red Hat JBoss Enterprise Application Platform 4"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5", "fix_state": "Will not fix", "package_name": "spring", "product_name": "Red Hat JBoss Enterprise Application Platform 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Affected", "package_name": "amq-6", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Will not fix", "package_name": "ewp-5", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Affected", "package_name": "fuse-6", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Will not fix", "package_name": "fuse-esb-3.6", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Not affected", "package_name": "others", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:5", "fix_state": "Will not fix", "package_name": "spring", "product_name": "Red Hat JBoss Portal 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:4.3", "fix_state": "Will not fix", "package_name": "spring", "product_name": "Red Hat JBoss SOA Platform 4.3"}], "public_date": "2014-01-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2013-6430\nhttps://nvd.nist.gov/vuln/detail/CVE-2013-6430\nhttp://www.gopivotal.com/security/cve-2013-6430"], "threat_severity": "Moderate"}