Skip to main content

Resteasy CVE-2016-6347

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2017-04-20 secalert@redhat.com
6.1
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Apr 20, 2017 - 17:59 cve.org
MEDIUM 6.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 30 maven packages depend on org.jboss.resteasy:resteasy-client (22 direct, 8 indirect)

Ecosystem-wide dependent count for version 3.1.0.Beta1.

DescriptionCVE.org

Cross-site scripting (XSS) vulnerability in the default exception handler in RESTEasy allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

AnalysisAI

Cross-site scripting (XSS) vulnerability in the default exception handler in RESTEasy allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Cross-site scripting (XSS) vulnerability in the default exception handler in RESTEasy allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Affected products include: Redhat Resteasy.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2014-3490 HIGH
7.5 Aug 19

RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3

CVE-2018-1051 HIGH
8.1 Jan 25

It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1.2 was incomplete and Yaml unmarshalling in Restea

CVE-2016-6346 HIGH
7.5 Sep 07

RESTEasy enables GZIPInterceptor, which allows remote attackers to cause a denial of service via unspecified vectors. Ra

CVE-2020-1695 HIGH
7.5 May 19

A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Fin

CVE-2014-7839 MEDIUM
6.4 Nov 25

DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parame

CVE-2016-6345 MEDIUM
6.5 Sep 07

RESTEasy allows remote authenticated users to obtain sensitive information by leveraging "insufficient use of random val

CVE-2016-6348 MEDIUM
6.1 Apr 12

JacksonJsonpInterceptor in RESTEasy might allow remote attackers to conduct a cross-site script inclusion (XSSI) attack.

CVE-2021-20293 MEDIUM
6.1 Jun 10

A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final, where i

CVE-2023-0482 MEDIUM
5.5 Feb 17

In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround clas

CVE-2021-20289 MEDIUM
5.3 Mar 26

A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. Rated medium severity (CVSS 5.3), this vulne

CVE-2020-25633 MEDIUM
5.3 Sep 18

A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. Rated medium severity (CVSS 5.3), thi

CVE-2012-0818 MEDIUM
5.0 Nov 23

RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document

Share

CVE-2016-6347 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy