CVE-2010-2086: XSS
First published: Thu May 27 2010(Updated: )
Apache MyFaces 1.1.7 and 1.2.8 (All previous versions are likely vulnerable), as used in IBM WebSphere Application Server and other applications, does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache MyFaces | =1.2.8 | |
| Apache MyFaces | =1.1.7 | |
| maven/org.apache.myfaces.core:myfaces-core-module | >=1.2.0<=1.2.8 | |
| maven/org.apache.myfaces.core:myfaces-core-module | <=1.1.7 | |
| =1.1.7 | ||
| =1.2.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/nvd-historical
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-92cv-wv2c-8899
- alias/CVE-2010-2086
- agent/software-canonical-lookup
- agent/severity
- agent/references
- agent/weakness
- agent/last-modified-date
- agent/description
- collector/nvd-cve
- source/NVD
- agent/author
- agent/softwarecombine
- agent/event
- collector/github-advisory
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/apache
- canonical/apache myfaces
- version/apache myfaces/1.2.8
- version/apache myfaces/1.1.7
- package-manager/maven