apache cxf CVE-2020-13954 vulnerability in Apache and Other Products
Published on November 12, 2020

Apache CXF Reflected XSS in the services listing page via the styleSheetPath

product logo product logo product logo
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573.

NVD

Weakness Type

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2020-13954 has been classified to as a XSS vulnerability or weakness.


Products Associated with CVE-2020-13954

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2020-13954 are published in these products:

Apache CXF
 
NetApp Snap Creator Framework
 
NetApp Vasa Provider Clustered Data Ontap
 
Oracle Retail Order Broker Cloud Service
 
Oracle Communications Messaging Server
 
Oracle Business Intelligence
 

Affected Versions

Apache Software Foundation Apache CXF:

Exploit Probability

EPSS
8.41%
Percentile
92.15%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.