Lucene search

K
osvGoogleOSV:GHSA-F93P-F762-VR53
HistoryJun 10, 2020 - 8:02 p.m.

Reflected Cross-Site Scripting in Apache CXF

2020-06-1020:02:33
Google
osv.dev
19
apache cxf
reflected cross-site scripting
xss
webpage
vulnerable
mobile applications

EPSS

0.006

Percentile

78.1%

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploits a feature which is not typically not present in modern browsers, who remove dot segments before sending the request. However, Mobile applications may be vulnerable.

References

EPSS

0.006

Percentile

78.1%