N/A

The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current HttpServletRequest. The calculated base URL is used by FormattedServiceListWriter to build the service endpoint absolute URLs. If the unexpected matrix parameters have been injected into the request URL then these matrix parameters will find their way back to the client in the services list page which represents an XSS risk to the client.

N/A

N/A

Apache CXF 跨站脚本漏洞

Apache CXF是美国阿帕奇（Apache）软件基金会的一个开源的Web服务框架。该框架支持多种Web服务标准、多种前端编程API等。 Apache CXF 3.0.12之前的版本和3.1.9之前的版本中存在跨站脚本漏洞。远程攻击者可利用该漏洞在浏览器中执行任意脚本代码，窃取基于cookie的身份验证证书。

N/A

N/A