CVE-2018-11040 - Cross-Origin Resource Sharing (CORS)

Severity: Low2022-10-13

Security Advisories


Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.

The Oxygen products incorporate Spring Framework as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Content Fusion v4.1.6 and olderHigh Oxygen Feedback 2.1 build 2022071516





Severity: High

CVSS Score: 7.5

The Spring Framework third-party library used by Oxygen XML products is an affected version mentioned in CVE-2018-11040 vulnerability description. However, Oxygen Feedback does not use MappingJackson2JsonView nor enable JSONP support through AbstractJsonpResponseBodyAdvice. For that reason, we have rated the severity level for our products as low.

Starting with Oxygen Feedback v2.1 build 2022071516 Spring Framework library was updated to a non-vulnerable version.

List of Security Advisories