CVE-2020-13954

CVE-2020-13954: Apache CXF Reflected XSS in the services listing page via the styleSheetPath

Vendor Apache Software Foundation

Product Apache CXF

Weakness CWE-79 · XSS

Published November 12, 2020

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573.

Key dates

02Disclosure timeline

November 12, 2020 CVE published

February 13, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2020-13954

Related vulnerabilities

Identifiers

CVE CVE-2020-13954

CWE CWE-79

Affected versions

Vendor Apache Software Foundation

Product Apache CXF

Affected ≥ unspecified and < 3.4.1

Vendor Apache Software Foundation

Product Apache CXF

Affected ≥ unspecified and < 3.3.8

CVE-2020-13954: Apache CXF Reflected XSS in the services listing page via the styleSheetPath

01Description

02Disclosure timeline

03References

04Related CVE