Description

A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack.

Remediation

References

https://bugzilla.redhat.com/show_bug.cgi?id=1814974

https://github.com/quarkusio/quarkus/issues/7248

https://issues.redhat.com/browse/RESTEASY-2519

https://security.netapp.com/advisory/ntap-20210706-0008/

Related Vulnerabilities

CVE-2023-28155 Vulnerability in npm package request

CVE-2023-36542 Vulnerability in maven package org.apache.nifi:nifi-hikari-dbcp-service

CVE-2022-41940 Vulnerability in npm package engine.io

CVE-2022-25979 Vulnerability in npm package jsuites

CVE-2023-37947 Vulnerability in maven package org.openshift.jenkins:openshift-login

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Issue Tracking Patch Vendor Advisory Exploit Third Party Advisory Permissions Required NVD-CWE-noinfo