Apache CXF Reflected XSS in the services listing page via the styleSheetPath
Description
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache CXF /services page reflects unvalidated styleSheetPath parameter, enabling stored XSS.
Vulnerability
Description
CVE-2020-13954 is a reflected cross-site scripting (XSS) vulnerability in the Apache CXF framework's /services listing page. By default, Apache CXF generates a page that displays available endpoint names and addresses. The page accepts a styleSheetPath parameter that is reflected in the response without proper sanitization or encoding. An attacker can craft a malicious URL containing JavaScript in the styleSheetPath parameter, which will be executed in the context of the victim's browser when the page is loaded [1][2].
Exploitation
The attack surface is the publicly accessible /services page, which is enabled by default. No authentication is required to trigger the XSS. The attacker needs only to convince a user to click a crafted link or visit a maliciously constructed URL that includes the payload in the styleSheetPath parameter. The lack of input validation means that any JavaScript code can be injected directly into the page's HTML [1][2].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The impact is compounded because the /services page may be accessible to unauthenticated users, making it a low-barrier entry point for attacks.
Mitigation
Apache CXF versions prior to 3.4.1 and 3.3.8 are affected. Users should upgrade to these patched versions. As a workaround, administrators can disable the service listing entirely by setting the hide-service-list-page servlet parameter to true. The fix ensures the styleSheetPath parameter is properly encoded before being reflected in the response [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.cxf:apache-cxfMaven | < 3.3.8 | 3.3.8 |
org.apache.cxf:apache-cxfMaven | >= 3.4.0, < 3.4.1 | 3.4.1 |
org.apache.cxf:cxfMaven | < 3.3.8 | 3.3.8 |
org.apache.cxf:cxfMaven | >= 3.4.0, < 3.4.1 | 3.4.1 |
Affected products
3- ghsa-coords2 versions
< 3.3.8+ 1 more
- (no CPE)range: < 3.3.8
- (no CPE)range: < 3.3.8
- Apache Software Foundation/Apache CXFv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
26- github.com/advisories/GHSA-64x2-gq24-75pvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-13954ghsaADVISORY
- cxf.apache.org/security-advisories.data/CVE-2020-13954.txt.ascghsax_refsource_MISCWEB
- www.openwall.com/lists/oss-security/2020/11/12/2ghsamailing-listx_refsource_MLISTWEB
- lists.apache.org/thread.html/r51fdd73548290b2dfd0b48f7ab69bf9ae064dd100364cd8a15f0b3ec%40%3Cannounce.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r51fdd73548290b2dfd0b48f7ab69bf9ae064dd100364cd8a15f0b3ec%40%3Cdev.cxf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r51fdd73548290b2dfd0b48f7ab69bf9ae064dd100364cd8a15f0b3ec%40%3Cusers.cxf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r51fdd73548290b2dfd0b48f7ab69bf9ae064dd100364cd8a15f0b3ec@%3Cannounce.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r51fdd73548290b2dfd0b48f7ab69bf9ae064dd100364cd8a15f0b3ec@%3Cdev.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r51fdd73548290b2dfd0b48f7ab69bf9ae064dd100364cd8a15f0b3ec@%3Cusers.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r640719c9ce5671f239a6f002c20e14062effe4b318a580b6746aa5ef%40%3Cdev.syncope.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r640719c9ce5671f239a6f002c20e14062effe4b318a580b6746aa5ef@%3Cdev.syncope.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r81a41a2915985d49bc3ea57dde2018b03584a863878a8532a89f993f%40%3Cusers.cxf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r81a41a2915985d49bc3ea57dde2018b03584a863878a8532a89f993f@%3Cusers.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3EghsaWEB
- security.netapp.com/advisory/ntap-20210513-0010ghsaWEB
- security.netapp.com/advisory/ntap-20210513-0010/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.