Two vulnerabilities were discovered in libspring-java, the Debian package for the Java Spring framework. CVE-2014-0054 Jaxb2RootElementHttpMessageConverter in Spring MVC processes external XML entities. CVE-2014-1904 Spring MVC introduces a cross-site scripting vulnerability if the action on a Spring form is not specified.