CVE-2020-13954
maven/org.apache.cxf/cxf
Cross-site Scripting
By default, Apache CXF creates a /services
page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath
, which allows a malicious actor to inject javascript into the web page. Please note that this is a separate issue to CVE-2019-17573.
All versions before 3.3.8, all versions starting from 3.4.0 before 3.4.1
Upgrade to versions 3.3.8, 3.4.1 or above.
2020-11-27
source |