{"id":"CVE-2021-20293","details":"A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final, where it did not properly handle URL encoding when calling @javax.ws.rs.PathParam without any @Produces MediaType. This flaw allows an attacker to launch a reflected XSS attack. The highest threat from this vulnerability is to data confidentiality and integrity.","aliases":["GHSA-5h26-c766-g93v"],"modified":"2026-04-10T04:29:17.698090Z","published":"2021-06-10T12:15:07.947Z","references":[{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210727-0005/"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1942819"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/resteasy/resteasy","events":[{"introduced":"0"},{"last_affected":"21ace631dfc75b169b7d762ab6ce65c67e5a0b43"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"4.6.0"}]}}],"versions":["3.0-beta-1","3.0-beta-2","3.0-beta-3","3.0-beta-4","3.0-beta-5","3.0-beta-6","3.0-rc-1","3.0.0.Final","3.0.1.Final","3.0.10.Final","3.0.13.Final","3.0.14.Final","3.0.15.Final","3.0.16.Final","3.0.2","3.0.4","3.0.5.Final","3.0.6.Final","3.0.7.Final","3.0.8.Final","3.0.9.Final","3.1.0.Beta1","3.1.0.Beta2","3.1.0.CR1","3.1.0.CR2","3.1.0.CR3","3.1.0.Final","3.1.1.Final","3.1.2.Final","3.1.3.Final","3.1.4.Final","4.0.0.Beta1","4.0.0.Beta2","4.0.0.Beta3","4.0.0.Beta4","4.0.0.Beta5","4.0.0.Beta6","4.0.0.Beta7","4.0.0.CR1","4.0.0.CR2","4.1.0.Final","4.2.0.Final","4.3.0.Final","4.4.0.CR1","4.4.0.Final","4.4.1.Final","4.4.2.Final","4.6.0.Final"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-20293.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}