CVE-2020-10688: 
Java vulnerability analysis and mitigation

A cross-site scripting (XSS) flaw was discovered in RESTEasy versions before 3.11.1.Final and before 4.5.3.Final. The vulnerability occurs when the software does not properly handle URL encoding during RESTEASY003870 exception occurrences. This vulnerability was assigned CVE-2020-10688 and was disclosed on March 20, 2020 (CVE Mitre, NVD).

The vulnerability stems from improper URL encoding handling when the RESTEASY003870 exception occurs. When a malformed request is made with specific URL parameters, the exception handling mechanism fails to properly sanitize the input, allowing for reflected XSS attacks. For example, a GET endpoint accepting paging parameters in the form 'start,offset' could be exploited through maliciously crafted input (GitHub Issue).

Successful exploitation of this vulnerability could allow an attacker to launch a reflected XSS attack, potentially leading to the disclosure of sensitive information or modification of data through the network (Red Hat Bugzilla, NetApp Advisory).

The vulnerability has been fixed in RESTEasy versions 3.11.1.Final and 4.5.3.Final. Users are advised to upgrade to these or later versions to address the security issue. The fix was implemented through a pull request that properly handles URL encoding during exception processing (Red Hat Bugzilla).