Headline
CVE-2020-13954
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Apache CXF Reflected XSS in the services listing page via the styleSheetPath (CVE-2020-13954) PRODUCT AFFECTED: This issue affects Apache CXF. PROBLEM: By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573. This issue has been assigned CVE-2020-13954. WORKAROUND: Users of Apache CXF should update to either 3.3.8 or 3.4.1. Alternatively, it is possible to disable the service listing altogether by setting the “hide-service-list-page” servlet parameter to "true". RELATED LINKS: CVE-2020-13954 at cve.mitre.org ACKNOWLEDGEMENTS: Thanks to Ryan Lambeth for reporting this issue. -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEE20Xs0ZuXUU9ycQWuZ7+AsQrVOYMFAl+tKGUACgkQZ7+AsQrV OYOejAf/YSmg5GoWhWB77V5P21yHigEus1Zgg68iNJ9tm6QXEJafJ0UEibPaFKpO 4N4UyBa4ur7ULbRQuzxL+wru5DkhDaKKdmEvSv9MHrqOGqy2Zz6m3154+3VgMuB7 DS7eGqDe4LihkmdI4qubWw45etdX3POAcU9tIDNsfnBX9b4zuvNYbrezDPbk+irM BfmTl9MO1D/D3W5qetpCHDCtQYtJ/yKC0C9yri8tna8FwL30Jpu+w34H+hNYOQRw 2Kud/r/tm5crFsdCCqealNSoUtxg/BvLCu8owLODjHt6acf6axuPA36EPzl/7+fH VD8jsCX0FeSsagBefJDQyNkj5BKgSg== =3le2 -----END PGP SIGNATURE-----