{"schema_version": "1.6.1", "id": "CVE-2020-13954", "summary": "Apache CXF Reflected XSS in the services listing page via the styleSheetPath", "details": "By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page.\n\nThis vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8.\n\nPlease note that this is a separate issue to CVE-2019-17573.\n", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "unspecified"}, {"fixed": "3.4.1"}]}]}], "references": [{"type": "ADVISORY", "url": "http://cxf.apache.org/security-advisories.data/CVE-2020-13954.txt.asc?version=1&modificationDate=1605183670659&api=v2"}]}