Description

A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack.

Remediation

References

https://bugzilla.redhat.com/show_bug.cgi?id=1814974

https://github.com/quarkusio/quarkus/issues/7248

https://issues.redhat.com/browse/RESTEASY-2519

https://security.netapp.com/advisory/ntap-20210706-0008/

Related Vulnerabilities

CVE-2023-26149 Vulnerability in maven package org.webjars.npm:quill-mention

CVE-2022-25867 Vulnerability in maven package io.socket:socket.io-client

CVE-2019-14820 Vulnerability in maven package org.keycloak:keycloak-core

CVE-2023-24815 Vulnerability in maven package io.vertx:vertx-web

CVE-2021-22112 Vulnerability in maven package org.springframework.security:spring-security-core

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Issue Tracking Patch Vendor Advisory Exploit Third Party Advisory Permissions Required NVD-CWE-noinfo