Back to search
CVE-2020-13954
Published: Nov 12, 2020
Modified: Feb 13, 2025
PUBLISHED
Description
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573.
| Vendor | Product | Versions |
|---|---|---|
Apache Software Foundation | Apache CXF | affected unspecified - < 3.4.1affected unspecified - < 3.3.8 |
Weaknesses (CWE)
References
[cxf-dev] 20201112 CVE-2020-13954: Apache CXF Reflected XSS in the services listing page via the styleSheetPath
mailing-list
x_refsource_MLIST
[cxf-users] 20201112 CVE-2020-13954: Apache CXF Reflected XSS in the services listing page via the styleSheetPath
mailing-list
x_refsource_MLIST
[oss-security] 20201112 CVE-2020-13954: Apache CXF Reflected XSS in the services listing page via the styleSheetPath
mailing-list
x_refsource_MLIST
[announce] 20201112 CVE-2020-13954: Apache CXF Reflected XSS in the services listing page via the styleSheetPath
mailing-list
x_refsource_MLIST
https://www.oracle.com/security-alerts/cpujan2021.html
x_refsource_MISC
[syncope-dev] 20210526 [GitHub] [syncope] coheigea opened a new pull request #268: Disable CXF Services Listing
mailing-list
x_refsource_MLIST
https://www.oracle.com/security-alerts/cpuApr2021.html
x_refsource_MISC
https://security.netapp.com/advisory/ntap-20210513-0010/
x_refsource_CONFIRM
https://www.oracle.com/security-alerts/cpuoct2021.html
x_refsource_MISC
https://www.oracle.com/security-alerts/cpuapr2022.html
x_refsource_MISC
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now