QwikSec

Security Database

CVE

CWE

Training

CVE-2019-17573

Published: Jan 16, 2020

Modified: Aug 5, 2024

PUBLISHED

Description

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploits a feature which is not typically not present in modern browsers, who remove dot segments before sending the request. However, Mobile applications may be vulnerable.

Vendor	Product	Versions
Apache	CXF	affected `All versions of Apache CXF prior to 3.3.5 and 3.2.12.`

References

[announce] 20200116 [CVE-2019-17573] Apache CXF Reflected XSS in the services listing page

mailing-list

x_refsource_MLIST

[cxf-commits] 20200319 svn commit: r1058035 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html

mailing-list

x_refsource_MLIST

[cxf-commits] 20200401 svn commit: r1058573 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2020-1954.txt.asc security-advisories.html

mailing-list

x_refsource_MLIST

https://www.oracle.com/security-alerts/cpujul2020.html

x_refsource_MISC

http://cxf.apache.org/security-advisories.data/CVE-2019-17573.txt.asc?version=1&modificationDate=1579178542000&api=v2

x_refsource_CONFIRM

[cxf-dev] 20201112 CVE-2020-13954: Apache CXF Reflected XSS in the services listing page via the styleSheetPath

mailing-list

x_refsource_MLIST

[cxf-commits] 20201112 svn commit: r1067927 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2020-13954.txt.asc security-advisories.html

mailing-list

x_refsource_MLIST

[cxf-users] 20201112 CVE-2020-13954: Apache CXF Reflected XSS in the services listing page via the styleSheetPath

mailing-list

x_refsource_MLIST

[oss-security] 20201112 CVE-2020-13954: Apache CXF Reflected XSS in the services listing page via the styleSheetPath

mailing-list

x_refsource_MLIST

[announce] 20201112 CVE-2020-13954: Apache CXF Reflected XSS in the services listing page via the styleSheetPath

mailing-list

x_refsource_MLIST

[cxf-users] 20201125 RE: CVE-2020-13954: Apache CXF Reflected XSS in the services listing page via the styleSheetPath

mailing-list

x_refsource_MLIST

[cxf-commits] 20210402 svn commit: r1073270 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2021-22696.txt.asc security-advisories.html

mailing-list

x_refsource_MLIST

https://www.oracle.com/security-alerts/cpuApr2021.html

x_refsource_MISC

[cxf-commits] 20210616 svn commit: r1075801 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2021-30468.txt.asc security-advisories.html

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.