Improper Neutralization of Input During Web Page Generation in Apache CXF

The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current HttpServletRequest. Th...

CVE-2016-6812

The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current HttpServletRequest. Th...

Design/Logic Flaw

The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current HttpServletRequest. Th...

Cross-site Scripting (XSS)

Apache CXF HTTP transport is vulnerable to cross-site scripting XSS attacks. It exists when a request URL contains unexpected matrix parameters. Apache CXF HTTP transport uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available...