CVE-2016-6812 is a vulnerability in Apache CXF
Published on August 10, 2017
The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current HttpServletRequest. The calculated base URL is used by FormattedServiceListWriter to build the service endpoint absolute URLs. If the unexpected matrix parameters have been injected into the request URL then these matrix parameters will find their way back to the client in the services list page which represents an XSS risk to the client.
Products Associated with CVE-2016-6812
Want to know whenever a new CVE is published for Apache CXF? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache CXF:- Version prior to 3.0.12 is affected.
- Version 3.1.x prior to 3.1.9 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.