Resteasy · Resteasy · CVE-2021-20293
Name of the Vulnerable Software and Affected Versions:
RESTEasy versions up to 4.6.0.Final
Description:
A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy, where it did not properly handle URL encoding when calling `@javax.ws.rs.PathParam` without any `@Produces` MediaType. This flaw allows an attacker to launch a reflected XSS attack, posing a threat to data confidentiality and integrity.
Recommendations:
For versions up to 4.6.0.Final, update to a version later than 4.6.0.Final to resolve the issue. As a temporary workaround, consider restricting the use of `@javax.ws.rs.PathParam` without any `@Produces` MediaType to minimize the risk of exploitation.