-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Apache CXF Reflected XSS in the services listing page via the styleSheetPath (CVE-2020-13954)

PRODUCT AFFECTED:

This issue affects Apache CXF.

PROBLEM:

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page.

This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8.

Please note that this is a separate issue to CVE-2019-17573.

This issue has been assigned CVE-2020-13954.

WORKAROUND:

Users of Apache CXF should update to either 3.3.8 or 3.4.1. Alternatively, it is possible to disable the service listing altogether by setting the "hide-service-list-page" servlet parameter to "true".

RELATED LINKS:

CVE-2020-13954 at cve.mitre.org

ACKNOWLEDGEMENTS:

Thanks to Ryan Lambeth for reporting this issue.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE20Xs0ZuXUU9ycQWuZ7+AsQrVOYMFAl+tKGUACgkQZ7+AsQrV
OYOejAf/YSmg5GoWhWB77V5P21yHigEus1Zgg68iNJ9tm6QXEJafJ0UEibPaFKpO
4N4UyBa4ur7ULbRQuzxL+wru5DkhDaKKdmEvSv9MHrqOGqy2Zz6m3154+3VgMuB7
DS7eGqDe4LihkmdI4qubWw45etdX3POAcU9tIDNsfnBX9b4zuvNYbrezDPbk+irM
BfmTl9MO1D/D3W5qetpCHDCtQYtJ/yKC0C9yri8tna8FwL30Jpu+w34H+hNYOQRw
2Kud/r/tm5crFsdCCqealNSoUtxg/BvLCu8owLODjHt6acf6axuPA36EPzl/7+fH
VD8jsCX0FeSsagBefJDQyNkj5BKgSg==
=3le2
-----END PGP SIGNATURE-----