Description

A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack.

Remediation

References

https://bugzilla.redhat.com/show_bug.cgi?id=1814974

https://github.com/quarkusio/quarkus/issues/7248

https://issues.redhat.com/browse/RESTEASY-2519

https://security.netapp.com/advisory/ntap-20210706-0008/

Related Vulnerabilities

CVE-2023-29014 Vulnerability in maven package io.goobi.viewer:viewer-core

CVE-2023-50164 Vulnerability in maven package org.apache.struts:struts2-core

CVE-2022-24377 Vulnerability in npm package cycle-import-check

CVE-2023-48711 Vulnerability in npm package google-translate-api-browser

CVE-2021-39150 Vulnerability in maven package com.thoughtworks.xstream:xstream

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Issue Tracking Patch Vendor Advisory Exploit Third Party Advisory Permissions Required NVD-CWE-noinfo