6.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2016-6812

GHSA ID

GHSA-vw2c-5wph-v92r

EPSS Score

0.9068%

CWE

CWE-79

Published

5/13/2022

Updated

12/21/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-6812

CVE-2016-6812: Improper Neutralization of Input During Web Page Generation in Apache CXF

The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current HttpServletRequest. The calculated base URL is used by FormattedServiceListWriter to build the service endpoint absolute URLs. If the unexpected matrix parameters have been injected into the request URL then these matrix parameters will find their way back to the client in the services list page which represents an XSS risk to the client.

(GitHub Advisory)

6.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2016-6812

GHSA ID

GHSA-vw2c-5wph-v92r

EPSS Score

0.9068%

CWE

CWE-79

Published

5/13/2022

Updated

12/21/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.cxf:cxf-core	maven	<= 3.0.11	3.0.12
org.apache.cxf:cxf-core	maven	>= 3.1.0, <= 3.1.8	3.1.9

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from three key functions:

BaseUrlHelper.getBaseURL() failed to remove matrix parameters from request URLs, allowing them to persist in the base URL.
FormattedServiceListWriter used this contaminated base URL to build absolute endpoint addresses without sanitization, directly embedding user-controlled input in HTML.
ServiceListGeneratorServlet constructed stylesheet links from unsanitized request URIs. The commit diffs show explicit fixes in these areas: matrix parameter stripping in BaseUrlHelper, URL concatenation fixes in FormattedServiceListWriter, and URI sanitization in ServiceListGeneratorServlet - all directly addressing the XSS vector described in CVE-2016-6812.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *TTP tr*nsport mo*ul* in *p**** *X* prior to *.*.** *n* *.*.x prior to *.*.* us*s *orm*tt**S*rvi**ListWrit*r to provi** *n *TML p*** w*i** lists t** n*m*s *n* **solut* URL ***r*ss*s o* t** *v*il**l* s*rvi** *n*points. T** mo*ul* **l*ul*t*s t** **

Reasoning

T** vuln*r**ility st*ms *rom t*r** k*y *un*tions: *. **s*Url**lp*r.**t**s*URL() **il** to r*mov* m*trix p*r*m*t*rs *rom r*qu*st URLs, *llowin* t**m to p*rsist in t** **s* URL. *. *orm*tt**S*rvi**ListWrit*r us** t*is *ont*min*t** **s* URL to *uil* **s

6.1

Basic Information

Concerned about an active attack path?

CVE-2016-6812: Improper Neutralization of Input During Web Page Generation in Apache CXF

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI