Apache CXF 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1, when a Supporting Token specifies a child WS-SecurityPolicy 1.1 or 1.2 policy, does not properly ensure that an XML element. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity.
Apache
Information Disclosure
Cxf
NVD
CVSS 2.0
10.0
EPSS
3.8%