CVE-2020-13954

Apache CXF Reflected XSS in the services listing page via the styleSheetPath

Severity Score

6.1

*CVSS v3.1

Exploit Likelihood

17.5%

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573.

Por defecto, Apache CXF crea una página /services que contiene una lista de los nombres y direcciones de los endpoints disponibles. Esta página web es vulnerable a un ataque de tipo Cross-Site Scripting (XSS) reflejado por medio de styleSheetPath, que permite a un actor malicioso inyectar javascript en la página web. Esta vulnerabilidad afecta a todas las versiones de Apache CXF versiones anteriores a 3.4.1 y 3.3.8. Por favor tome en cuenta que este es un problema independiente de CVE-2019-17573

This release of Red Hat Fuse 7.9.0 serves as a replacement for Red Hat Fuse 7.8, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include HTTP request smuggling, bypass, code execution, cross site scripting, denial of service, deserialization, information leakage, man-in-the-middle, memory leak, resource exhaustion, server-side request forgery, remote SQL injection, and traversal vulnerabilities.

*Credits: Thanks to Ryan Lambeth for reporting this issue.

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-06-08 CVE Reserved
2020-11-12 CVE Published
2025-02-13 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (17)

URL	Tag	Source
https://lists.apache.org/thread.html/r51fdd73548290b2dfd0b48f7ab69bf9ae064dd100364cd8a15f0b3ec%40%3Cannounce.a...	Mailing List
https://lists.apache.org/thread.html/r51fdd73548290b2dfd0b48f7ab69bf9ae064dd100364cd8a15f0b3ec%40%3Cdev.cxf.ap...	Mailing List
https://lists.apache.org/thread.html/r51fdd73548290b2dfd0b48f7ab69bf9ae064dd100364cd8a15f0b3ec%40%3Cusers.cxf....	Mailing List
https://lists.apache.org/thread.html/r640719c9ce5671f239a6f002c20e14062effe4b318a580b6746aa5ef%40%3Cdev.syncop...	Mailing List
https://lists.apache.org/thread.html/r81a41a2915985d49bc3ea57dde2018b03584a863878a8532a89f993f%40%3Cusers.cxf....	Mailing List
https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cx...	Mailing List
https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cx...	Mailing List
https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cx...	Mailing List
https://security.netapp.com/advisory/ntap-20210513-0010	Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Not Applicable

1 - 10 of 10

URL	Date	SRC

URL	Date	SRC
https://www.oracle.com/security-alerts/cpuApr2021.html	2023-11-07
https://www.oracle.com/security-alerts/cpujan2021.html	2023-11-07
https://www.oracle.com/security-alerts/cpuoct2021.html	2023-11-07

1 - 3 of 3

URL	Date	SRC
http://cxf.apache.org/security-advisories.data/CVE-2020-13954.txt.asc?version=1&modification...	2023-11-07
http://www.openwall.com/lists/oss-security/2020/11/12/2	2023-11-07
https://access.redhat.com/security/cve/CVE-2020-13954	2021-08-18
https://bugzilla.redhat.com/show_bug.cgi?id=1898235	2021-08-18

1 - 4 of 4

Affected Vendors, Products, and Versions (11)

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Cxf Search vendor "Apache" for product "Cxf"				< 3.3.8 Search vendor "Apache" for product "Cxf" and version " < 3.3.8"		-		Affected
Apache Search vendor "Apache"		Cxf Search vendor "Apache" for product "Cxf"				>= 3.4.0 < 3.4.1 Search vendor "Apache" for product "Cxf" and version " >= 3.4.0 < 3.4.1"		-		Affected
Netapp Search vendor "Netapp"		Snap Creator Framework Search vendor "Netapp" for product "Snap Creator Framework"				-		-		Affected
Netapp Search vendor "Netapp"		Vasa Provider For Clustered Data Ontap Search vendor "Netapp" for product "Vasa Provider For Clustered Data Ontap"				>= 9.6 Search vendor "Netapp" for product "Vasa Provider For Clustered Data Ontap" and version " >= 9.6"		-		Affected
Oracle Search vendor "Oracle"		Business Intelligence Search vendor "Oracle" for product "Business Intelligence"				5.5.0.0.0 Search vendor "Oracle" for product "Business Intelligence" and version "5.5.0.0.0"		enterprise		Affected
Oracle Search vendor "Oracle"		Business Intelligence Search vendor "Oracle" for product "Business Intelligence"				5.9.0.0.0 Search vendor "Oracle" for product "Business Intelligence" and version "5.9.0.0.0"		enterprise		Affected
Oracle Search vendor "Oracle"		Business Intelligence Search vendor "Oracle" for product "Business Intelligence"				12.2.1.3.0 Search vendor "Oracle" for product "Business Intelligence" and version "12.2.1.3.0"		enterprise		Affected
Oracle Search vendor "Oracle"		Business Intelligence Search vendor "Oracle" for product "Business Intelligence"				12.2.1.4.0 Search vendor "Oracle" for product "Business Intelligence" and version "12.2.1.4.0"		enterprise		Affected
Oracle Search vendor "Oracle"		Retail Order Broker Cloud Service Search vendor "Oracle" for product "Retail Order Broker Cloud Service"				15.0 Search vendor "Oracle" for product "Retail Order Broker Cloud Service" and version "15.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Messaging Server Search vendor "Oracle" for product "Communications Messaging Server"				8.0.2 Search vendor "Oracle" for product "Communications Messaging Server" and version "8.0.2"		-		Affected

1 - 10 of 11