CVE-2020-13954

Cross-site Scripting in maven/org.apache.cxf/cxf-api

Identifiers

CVE-2020-13954

Package Slug

maven/org.apache.cxf/cxf-api

Vulnerability

Cross-site Scripting

Description

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page.

Affected Versions

All versions before 3.3.8, all versions starting from 3.4.0 before 3.4.1

Solution

Upgrade to versions 3.3.8, 3.4.1 or above.

Last Modified

2020-11-26

source