VYPR
Moderate severityNVD Advisory· Published Nov 12, 2020· Updated Feb 13, 2025

Apache CXF Reflected XSS in the services listing page via the styleSheetPath

CVE-2020-13954

Description

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.cxf:apache-cxfMaven
< 3.3.83.3.8
org.apache.cxf:apache-cxfMaven
>= 3.4.0, < 3.4.13.4.1
org.apache.cxf:cxfMaven
< 3.3.83.3.8
org.apache.cxf:cxfMaven
>= 3.4.0, < 3.4.13.4.1

Affected products

3

Patches

Vulnerability mechanics

References

26

News mentions

0

No linked articles in our index yet.