Cross-Site Scripting Vulnerability in Apache CXF HTTP Transport Module
CVE-2016-6812

6.1MEDIUM

Key Information:

Vendor
Apache
Status
Apache Cxf
Vendor
CVE Published:
10 August 2017

Summary

The HTTP transport module in Apache CXF allows an attacker to inject malicious matrix parameters into the request URL. These parameters can then be reflected back to the client in the service list page generated by the FormattedServiceListWriter. This behavior exposes users to potential XSS attacks, where malicious scripts could be executed in the context of the user's browser, leading to data theft, session hijacking, or other harmful actions. Ensuring that the server sanitizes input correctly is crucial to mitigate this vulnerability.

Affected Version(s)

Apache CXF prior to 3.0.12

Apache CXF 3.1.x prior to 3.1.9

References

https://access.redhat.com/errata/RHSA-2017:0868
vendor-advisoryx_refsource_REDHAT
http://cxf.apache.org/security-advisories.data/CVE-2016-6...
x_refsource_CONFIRM
http://www.securitytracker.com/id/1037543
vdb-entryx_refsource_SECTRACK

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.