oracle application-testing-suite CVE-2020-5398 vulnerability in Oracle and Other Products
Published on January 17, 2020

RFD Attack via "Content-Disposition" Header Sourced from Request Input by Spring MVC or Spring WebFlux Application

product logo product logo product logo product logo product logo
In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input.

NVD

Weakness Type

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2020-5398 has been classified to as a XSS vulnerability or weakness.


Products Associated with CVE-2020-5398

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2020-5398 are published in these products:

Oracle Application Testing Suite
 
Oracle Communications Billing Revenue Management Elastic Charging Engine
 
Oracle Communications Diameter Signaling Router
 
Oracle Communications Element Manager
 
Oracle Communications Session Report Manager
 
Oracle Communications Session Route Manager
 
Oracle Enterprise Manager Base Platform
 
Oracle Financial Services Regulatory Reporting With Agilereporter
 
Oracle Flexcube Private Banking
 
Oracle Healthcare Master Person Index
 
Oracle Insurance Policy Administration J2ee
 
Oracle Insurance Rules Palette
 
Oracle MySQL
 
Oracle Rapid Planning
 
Oracle Retail Assortment Planning
 
Oracle Retail Bulk Data Integration
 
Oracle Retail Financial Integration
 
Oracle Retail Integration Bus
 
Oracle Retail Order Broker
 
Oracle Retail Predictive Application Server
 
Oracle Retail Service Backbone
 
Oracle Weblogic Server
 
Pivotal Software Spring Framework
 
Oracle Communications Cloud Native Core Policy
 
Oracle Communications Policy Management
 
Oracle Insurance Calculation Engine
 
Oracle Retail Back Office
 
Oracle Retail Central Office
 
Oracle Retail Point Of Service
 
Oracle Retail Returns Management
 
Oracle Siebel Engineering Installer Deployment
 
NetApp Data Availability Services
 
NetApp Snapcenter
 
VMware Spring Framework
 

Affected Versions

Spring Framework:

Exploit Probability

EPSS
90.21%
Percentile
99.58%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.