CVE-2019-17573 in Apache and Oracle Products
Published on January 16, 2020

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploits a feature which is not typically not present in modern browsers, who remove dot segments before sending the request. However, Mobile applications may be vulnerable.

NVD

Products Associated with CVE-2019-17573

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2019-17573 are published in these products:

Apache CXF

Oracle Commerce Guided Search

Oracle Communications Element Manager

Oracle Communications Session Report Manager

Oracle Communications Session Route Manager

Oracle Flexcube Private Banking

Oracle Retail Order Broker

Affected Versions

Apache CXF Version All versions of Apache CXF prior to 3.3.5 and 3.2.12. is affected by CVE-2019-17573

Exploit Probability

EPSS

16.13%

Percentile

94.65%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

CVE-2019-17573 in Apache and Oracle ProductsPublished on January 16, 2020

Products Associated with CVE-2019-17573

Affected Versions

Exploit Probability

CVE-2019-17573 in Apache and Oracle Products
Published on January 16, 2020