Spring Web Flow is a special sub-component of Spring. Spring Web Flow builds on Spring MVC and allows implementing the flows of a web application.
Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e. set to "false") can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.
- Upgrade to the latest version of Spring Web Flow.
- Drupal Core 4.6.x Arbitrary Code Execution (4.6.0 - 4.6.7)
- WordPress Plugin Newsletter Subscription Form Possible Remote Code Execution (1.1.2)
- Apache Struts2 Remote Command Execution (S2-052)
- Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
- WordPress Plugin Shortcodes Ultimate Remote Code Execution (5.0.0)