Description

A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack.

Remediation

References

https://bugzilla.redhat.com/show_bug.cgi?id=1814974

https://github.com/quarkusio/quarkus/issues/7248

https://issues.redhat.com/browse/RESTEASY-2519

https://security.netapp.com/advisory/ntap-20210706-0008/

Related Vulnerabilities

CVE-2021-32850 Vulnerability in npm package @claviska/jquery-minicolors

CVE-2022-21724 Vulnerability in maven package org.postgresql:postgresql

CVE-2023-29512 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates

CVE-2023-46122 Vulnerability in maven package org.scala-sbt:io_3

CVE-2023-40812 Vulnerability in maven package org.opencrx:opencrx-core-models

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Issue Tracking Patch Vendor Advisory Exploit Third Party Advisory Permissions Required NVD-CWE-noinfo