CVE-2019-17573: Cross-site Scripting
(updated )
By default, Apache CXF creates a /services
page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploits a feature which is not typically present in modern browsers, which remove dot segments before sending the request. However, Mobile applications may be vulnerable.
References
Detect and mitigate CVE-2019-17573 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →