CVE-2021-20293Cross-site Scripting in Redhat Resteasy

CWE-79Cross-site Scripting6 documents5 sources
Severity
6.1MEDIUMNVD
EPSS
0.4%
top 39.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Redhat Resteasy
Timeline
PublishedJun 10
Latest updateJun 15

Description

A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final, where it did not properly handle URL encoding when calling @javax.ws.rs.PathParam without any @Produces MediaType. This flaw allows an attacker to launch a reflected XSS attack. The highest threat from this vulnerability is to data confidentiality and integrity.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

NVDredhat/resteasy4.6.0
CVEListV5redhat/resteasyAll versions of RESTEasy up to 4.6.0.Final

🔴Vulnerability Details

4
OSV
Cross-Site Scripting2021-06-15
GHSA
Cross-Site Scripting2021-06-15
CVEList
CVE-2021-20293: A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy in all versions of RESTEasy up to 42021-06-10
OSV
CVE-2021-20293: A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy in all versions of RESTEasy up to 42021-06-10

📋Vendor Advisories

1
Red Hat
RESTEasy: PathParam in RESTEasy can lead to a reflected XSS attack2021-03-25