Cross-site Scripting (XSS) Affecting microsoft.aspnet.mvc.core package, versions [2,2.0.60814.0)[3,3.0.50813.1)[4,4.0.40804.0)[5,5.0.20821.0)[5.1,5.1.20821.0)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
12.19% (96th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-DOTNET-MICROSOFTASPNETMVCCORE-60001
  • published14 Oct 2014
  • disclosed14 Oct 2014
  • creditUnknown

Introduced: 14 Oct 2014

CVE-2014-4075  (opens in a new tab)
CWE-79  (opens in a new tab)

How to fix?

Upgrade Microsoft.AspNet.Mvc.Core to versions 2.0.60814.0, 3.0.50813.1, 4.0.40804.0, 5.0.20821.0, 5.1.20821.0 or higher.

Overview

Microsoft.AspNet.Mvc.Core is the core runtime components of ASP.NET MVC.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks via the System.Web.Mvc.dll in Microsoft ASP.NET Model View Controller (MVC).

The vulnerability could allow security feature bypass if an attacker convinces a user to click a specially crafted link or to visit a webpage that contains specially crafted content designed to exploit the vulnerability. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through a web browser, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes them to the attacker's website, or by getting them to open an attachment sent through email.

  • Microsoft Security Bulletin MS14-059

Details

<>

CVSS Scores

version 3.1