Apache CXF Team

3 exploits Active since Nov 2015
CVE-2015-5253 NOMISEC STUB
Apache CXF <2.7.18, <3.0.7, <3.1.3 - Auth Bypass
The SAML Web SSO module in Apache CXF before 2.7.18, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote authenticated users to bypass authentication via a crafted SAML response with a valid signed assertion, related to a "wrapping attack."
CVE-2019-17573 NOMISEC MEDIUM STUB
Apache CXF 3.2.0-3.2.11 - Reflected Cross-Site Scripting via Services Listing Page
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploits a feature which is not typically not present in modern browsers, who remove dot segments before sending the request. However, Mobile applications may be vulnerable.
CVSS 6.1
CVE-2015-5253 NOMISEC STUB
Apache CXF <2.7.18, <3.0.7, <3.1.3 - Auth Bypass
The SAML Web SSO module in Apache CXF before 2.7.18, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote authenticated users to bypass authentication via a crafted SAML response with a valid signed assertion, related to a "wrapping attack."