CVE-2016-6812

CWE-79Cross-site Scripting (XSS)7 documents6 sources
Severity
6.1MEDIUM
EPSS
8.6%
top 7.58%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache CXFApache Software Foundation Apache CXF
Timeline
PublishedAug 10
Latest updateMay 13

Description

The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current HttpServletRequest. The calculated base URL is used by FormattedServiceListWriter to build the service endpoint absolute URLs. If the unexpected matrix parameters have been injected into the request URL then these matrix para

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

Mavenorg.apache.cxf:cxf-core3.1.03.1.9+1
NVDapache/cxf3.0.11+9
CVEListV5apache_software_foundation/apache_cxf3.1.x prior to 3.1.9, prior to 3.0.12+1

Patches

Patch: cxf.apache.orgPatch: cxf.apache.org

🔴Vulnerability Details

3
GHSA
Improper Neutralization of Input During Web Page Generation in Apache CXF2022-05-13
OSV
Improper Neutralization of Input During Web Page Generation in Apache CXF2022-05-13
CVEList
CVE-2016-6812: The HTTP transport module in Apache CXF prior to 32017-08-10

📋Vendor Advisories

1
Red Hat
apache-cxf: XSS in Apache CXF FormattedServiceListWriter2016-12-19

💬Community

2
Bugzilla
CVE-2016-6812 apache-cxf: XSS in Apache CXF FormattedServiceListWriter2016-12-21
Bugzilla
CVE-2016-6812 CVE-2016-8739 cxf: various flaws [fedora-all]2016-12-21
CVE-2016-6812 (MEDIUM CVSS 6.1) | The HTTP transport module in Apache | cvebase.io