CVE-2018-11039: Cross Site Scripting

June 25, 2018 (updated October 3, 2019)

Spring Framework allows web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

References

nvd.nist.gov/vuln/detail/CVE-2018-11039
pivotal.io/security/cve-2018-11039

Detect and mitigate CVE-2018-11039 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →