Zero-friction vulnerability management platform

Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.

Install Now

Available for macOS, Windows, and Linux

App screenshot

CVE-2020-13954

CVE information

Published

2 years ago

Last Modified

6 months ago

CVSSv2.0 Severity

Medium

CVSSv3.1 Severity

Medium

Impact Analysis

Description

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573..

CVSSv2.0 Score

Severity
Medium
Base Score
4.3/10
Exploit Score
8.6/10
Access Vector
Network
Access Complexity
Medium
Authentication Required
None
Impact Score
2.9/10
Confidentiality Impact
None
Availability Impact
None
Integrity Impact
Partial

CVSSv3.1 Score

Severity
Medium
Base Score
6.1/10
Exploit Score
2.8/10
Access Vector
Network
Access Complexity
Low
Privileges Required
None
Impact Score
2.7/10
Confidentiality Impact
Low
Availability Impact
None
Integrity Impact
Low
Scope
Changed
User Interaction
Required

Products Affected

CPE Affected Vulnerable Excluding Edit
cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*
  Yes
3.4.0 3.4.1
cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*
  Yes
- 3.3.8
cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
  Yes
- -
cpe:2.3:a:netapp:vasa_provider_for_clustered_data_ontap:*:*:
  Yes
9.6 -
cpe:2.3:a:oracle:retail_order_broker_cloud_service:15.0:*:*:
  Yes
- -
cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:ente
  Yes
- -
cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:ente
  Yes
- -
cpe:2.3:a:oracle:business_intelligence:5.5.0.0.0:*:*:*:enter
  Yes
- -
cpe:2.3:o:oracle:communications_messaging_server:8.1:*:*:*:*
  Yes
- -
cpe:2.3:o:oracle:communications_messaging_server:8.0.2:*:*:*
  Yes
- -
cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enter
  Yes
- -