He1Renyagao

**Name of the Vulnerable Software and Affected Versions** Pivotal Spring Web Flow versions prior to 2.5 **Description** An issue was discovered in Pivotal Spring Web Flow where applications that do not change the value of the `useSpringBinding` property, which is disabled by default, can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings. **Recommendations** For versions prior to 2.5, consider enabling the `useSpringBinding` property to mitigate the risk of exploitation. As a temporary workaround, restrict the use of view states that process form submissions without explicit data binding property mappings until a patch is available.