It was found that in some configurations the JacksonJsonpInterceptor is activated by default in RESTEasy. An attacker could use this flaw to launch a Cross Site Scripting Inclusion attack.
Acknowledgments: Name: Mikhail Egorov (Odin)
Created resteasy tracking bugs for this issue: Affects: fedora-all [bug 1372130]
Created resteasy tracking bugs for this issue: Affects: fedora-all [bug 1471279]
Created resteasy tracking bugs for this issue: Affects: fedora-all [bug 1481780]