Cross-Site Scripting Vulnerability in Apache CXF HTTP Transport Module
CVE-2016-6812

6.1MEDIUM

Key Information:

Vendor

Apache
Status
Apache Cxf
Vendor
CVE Published:
10 August 2017

What is CVE-2016-6812?

The HTTP transport module in Apache CXF allows an attacker to inject malicious matrix parameters into the request URL. These parameters can then be reflected back to the client in the service list page generated by the FormattedServiceListWriter. This behavior exposes users to potential XSS attacks, where malicious scripts could be executed in the context of the user's browser, leading to data theft, session hijacking, or other harmful actions. Ensuring that the server sanitizes input correctly is crucial to mitigate this vulnerability.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Apache CXF prior to 3.0.12

Apache CXF 3.1.x prior to 3.1.9

References

https://access.redhat.com/errata/RHSA-2017:0868
vendor-advisoryx_refsource_REDHAT
http://cxf.apache.org/security-advisories.data/CVE-2016-6...
x_refsource_CONFIRM
http://www.securitytracker.com/id/1037543
vdb-entryx_refsource_SECTRACK

EPSS Score

8% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.