CVE-2020-13954
maven/org.apache.cxf/cxf-api
Cross-site Scripting
By default, Apache CXF creates a /services
page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath
, which allows a malicious actor to inject javascript into the web page.
All versions before 3.3.8, all versions starting from 3.4.0 before 3.4.1
Upgrade to versions 3.3.8, 3.4.1 or above.
2020-11-26
source |