Description
A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack.
References (4)
Core 4
Core References
Issue Tracking, Patch, Vendor Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1814974
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/quarkusio/quarkus/issues/7248
Issue Tracking, Permissions Required, Vendor Advisory x_refsource_misc
https://issues.redhat.com/browse/RESTEASY-2519
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210706-0008/
Scores
CVSS v3
6.1
EPSS
0.0034
EPSS Percentile
57.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (8)
org.jboss.resteasy/resteasy-bom
0 - 3.11.1.FinalMaven
org.jboss.resteasy/resteasy-core
0 - 3.11.1.FinalMaven
redhat/fuse
1.0
redhat/jboss_enterprise_application_platform
redhat/jboss_enterprise_application_platform
7.3
redhat/jboss_enterprise_application_platform
7.4
redhat/openshift_application_runtimes
redhat/resteasy
< 3.11.1
Published
May 27, 2021
Tracked Since
Feb 18, 2026