CVE-2020-13954

CVE-2020-13954

maven/org.apache.cxf/cxf-core

Cross-site Scripting

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. Please note that this is a separate issue to CVE-2019-17573.

All versions before 3.3.8, all versions starting from 3.4.0 before 3.4.1

Upgrade to versions 3.3.8, 3.4.1 or above.

2020-11-26