This vulnerability involves improper neutralization of input during web page generation (CWE-79) in the Spring Framework's handling of JSP form tag attributes cssClass, cssErrorClass, and cssStyle. User-supplied values in these attributes are not properly sanitized, enabling injection of arbitrary HTML or JavaScript code, which can result in cross-site scripting (XSS). The affected versions span multiple major releases of Spring Framework, specifically 5.3.0 to 5.3.48, 6.1.0 to 6.1.27, 6.2.0 to 6.2.18, and 7.0.0 to 7.0.7. The vulnerability requires user interaction (UI:R) and has a high impact on confidentiality (C:H) but low impact on integrity (I:L) and no impact on availability (A:N). No official fix or patch is currently documented in the vendor advisory or CVE data.

Successful exploitation allows an attacker to inject and execute arbitrary HTML or JavaScript code in the context of the vulnerable web application. This can lead to disclosure of sensitive information accessible to the victim's browser, such as session tokens or other confidential data. The vulnerability does not impact system integrity or availability directly. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or remediation level is provided, users should monitor Spring Framework advisories for updates. Until a patch is available, avoid accepting untrusted user input in the cssClass, cssErrorClass, or cssStyle attributes of JSP form tags or implement custom input validation and output encoding to mitigate injection risks.