CVE-2020-10688

moderate-risk

Published 2021-05-27

A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack.

Do I need to act?

0.22% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.1/10 Medium

NETWORK / LOW complexity

Affected Products (6)

Fuse

Jboss Enterprise Application Platform

Openshift Application Runtimes

Resteasy

Jboss Enterprise Application Platform

Affected Vendors

Redhat

References (8)

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1814974

Exploit https://github.com/quarkusio/quarkus/issues/7248

Issue Tracking https://issues.redhat.com/browse/RESTEASY-2519

Third Party Advisory https://security.netapp.com/advisory/ntap-20210706-0008/

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1814974

Exploit https://github.com/quarkusio/quarkus/issues/7248

Issue Tracking https://issues.redhat.com/browse/RESTEASY-2519

Third Party Advisory https://security.netapp.com/advisory/ntap-20210706-0008/

/ 100

moderate-risk

Severity 23/34 · High

Exploitability 1/34 · Minimal

Exposure 13/34 · Low