Cross-site scripting in Apache CXF
Moderate severity
GitHub Reviewed
Published
Apr 22, 2021
to the GitHub Advisory Database
•
Updated Feb 1, 2023
Description
Published by the National Vulnerability Database
Nov 12, 2020
Reviewed
Apr 20, 2021
Published to the GitHub Advisory Database
Apr 22, 2021
Last updated
Feb 1, 2023
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573.
References