CVE-2021-20293

Name of the Vulnerable Software and Affected Versions: RESTEasy versions up to 4.6.0.Final

Description: A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy, where it did not properly handle URL encoding when calling @javax.ws.rs.PathParam without any @Produces MediaType. This flaw allows an attacker to launch a reflected XSS attack, posing a threat to data confidentiality and integrity.

Recommendations: For versions up to 4.6.0.Final, update to a version later than 4.6.0.Final to resolve the issue. As a temporary workaround, consider restricting the use of @javax.ws.rs.PathParam without any @Produces MediaType to minimize the risk of exploitation.