PT-2020-5462 · Apache · Apache Cxf

Ryan Lambeth

Published

2020-11-12

Updated

2022-05-12

CVE-2020-13954

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Apache CXF versions prior to 3.4.1 Apache CXF versions prior to 3.3.8

Description The issue is related to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath parameter, which allows a malicious actor to inject javascript into the web page. This is due to the lack of protection measures for the web page structure. The exploitation of this issue may allow a remote attacker to conduct cross-site scripting attacks.

Recommendations For versions prior to 3.4.1, update to version 3.4.1 or later. For versions prior to 3.3.8, update to version 3.3.8 or later. As a temporary workaround, consider restricting access to the /services page and the styleSheetPath parameter to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

BDU:2021-00711

CVE-2020-13954

GHSA-64X2-GQ24-75PV

Affected Products

Apache Cxf

PT-2020-5462 · Apache · Apache Cxf

CVE-2020-13954

Weakness Enumeration

Related Identifiers

Affected Products

References · 33