CVE-2019-17573

Name of the Vulnerable Software and Affected Versions: Apache CXF (affected versions not specified)

Description: The issue is related to a reflected Cross-Site Scripting (XSS) attack in the /services page, which lists available endpoint names and addresses. This allows a malicious actor to inject javascript into the web page. The attack exploits a feature that is not typically present in modern browsers, but mobile applications may be vulnerable. The webpage is vulnerable due to the lack of protection measures for its structure.

Recommendations: For all affected versions, consider disabling the /services page as a temporary workaround until a patch is available. Restrict access to the /services page to minimize the risk of exploitation. Avoid using the webpage's features that allow injecting javascript into the page until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.