CVE-2013-5855: XSS
First published: Fri Feb 14 2014(Updated: )
It was found that Mojarra JSF would not properly escape user-supplied content in certain circumstances. The contents of outputText tags and raw EL expressions that immediately follow <script> or <style> elements were not escaped. If a remote attacker could trick a user into visiting a specially-crafted URL, it would lead to arbitrary web script execution in the user's browser.
Credit: secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Oracle Mojarra JavaServer Faces | =2.1.0 | |
| Oracle Mojarra JavaServer Faces | =2.1.1 | |
| Oracle Mojarra JavaServer Faces | =2.1.2 | |
| Oracle Mojarra JavaServer Faces | =2.1.3 | |
| Oracle Mojarra JavaServer Faces | =2.1.4 | |
| Oracle Mojarra JavaServer Faces | =2.1.5 | |
| Oracle Mojarra JavaServer Faces | =2.1.6 | |
| Oracle Mojarra JavaServer Faces | =2.1.7 | |
| Oracle Mojarra JavaServer Faces | =2.1.8 | |
| Oracle Mojarra JavaServer Faces | =2.1.9 | |
| Oracle Mojarra JavaServer Faces | =2.1.10 | |
| Oracle Mojarra JavaServer Faces | =2.1.11 | |
| Oracle Mojarra JavaServer Faces | =2.1.12 | |
| Oracle Mojarra JavaServer Faces | =2.1.13 | |
| Oracle Mojarra JavaServer Faces | =2.1.14 | |
| Oracle Mojarra JavaServer Faces | =2.1.15 | |
| Oracle Mojarra JavaServer Faces | =2.1.16 | |
| Oracle Mojarra JavaServer Faces | =2.1.17 | |
| Oracle Mojarra JavaServer Faces | =2.1.18 | |
| Oracle Mojarra JavaServer Faces | =2.1.19 | |
| Oracle Mojarra JavaServer Faces | =2.1.20 | |
| Oracle Mojarra JavaServer Faces | =2.1.21 | |
| Oracle Mojarra JavaServer Faces | =2.1.22 | |
| Oracle Mojarra JavaServer Faces | =2.1.23 | |
| Oracle Mojarra JavaServer Faces | =2.1.24 | |
| Oracle Mojarra JavaServer Faces | =2.1.25 | |
| Oracle Mojarra JavaServer Faces | =2.1.26 | |
| Oracle Mojarra JavaServer Faces | =2.1.27 | |
| Oracle Mojarra JavaServer Faces | =2.2.0 | |
| Oracle Mojarra JavaServer Faces | =2.2.1 | |
| Oracle Mojarra JavaServer Faces | =2.2.2 | |
| Oracle Mojarra JavaServer Faces | =2.2.3 | |
| Oracle Mojarra JavaServer Faces | =2.2.4 | |
| Oracle Mojarra JavaServer Faces | =2.2.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/JSF-outputText-tag-the-good-the-bad-and-the-ugly/ba-p/6368011#.U8ccVPlXZHU
- http://rhn.redhat.com/errata/RHSA-2015-0675.html
- http://rhn.redhat.com/errata/RHSA-2015-0720.html
- http://rhn.redhat.com/errata/RHSA-2015-0765.html
- http://seclists.org/fulldisclosure/2014/Dec/23
- http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
- http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
- http://www.securityfocus.com/archive/1/534161/100/0/threaded
- http://www.securityfocus.com/bid/65600
- http://www.vmware.com/security/advisories/VMSA-2014-0012.html
- https://java.net/jira/browse/JAVASERVERFACES-3150
- https://java.net/jira/browse/JAVASERVERFACES_SPEC_PUBLIC-1258
- https://java.net/projects/mojarra/sources/svn/revision/12793
- http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/JSF-outputText-tag-the-good-the-bad-and-the-ugly/bc-p/6370209
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1087182
- https://rhn.redhat.com/errata/RHSA-2014-0896.html
- https://rhn.redhat.com/errata/RHSA-2014-0910.html
- https://rhn.redhat.com/errata/RHSA-2015-0235.html
- https://rhn.redhat.com/errata/RHSA-2015-0234.html
- https://rhn.redhat.com/errata/RHSA-2015-0675.html
- https://rhn.redhat.com/errata/RHSA-2015-0720.html
- https://rhn.redhat.com/errata/RHSA-2015-0765.html
- https://rhn.redhat.com/errata/RHSA-2015-1009.html
- https://svn.java.net/svn/mojarra~svn/tags/
- https://github.com/javaserverfaces/mojarra/tags/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5855
- https://bugzilla.redhat.com/show_bug.cgi?id=1065139
Frequently Asked Questions
What is the severity of CVE-2013-5855?
The severity of CVE-2013-5855 is considered medium due to its potential exploitation through cross-site scripting (XSS).
How do I fix CVE-2013-5855?
To fix CVE-2013-5855, upgrade Mojarra JSF to versions 2.2.0 or later where the issue has been addressed.
Which versions of Mojarra JSF are affected by CVE-2013-5855?
CVE-2013-5855 affects Mojarra JSF versions 2.1.0 through 2.1.27.
What actions can I take if I cannot upgrade from Mojarra JSF impacted by CVE-2013-5855?
If upgrading is not possible, consider implementing input sanitization and output encoding to mitigate the risk of XSS attacks.
How does CVE-2013-5855 affect web applications?
CVE-2013-5855 can allow attackers to inject malicious scripts, compromising the security of web applications and exposing user data.
- agent/first-publish-date
- agent/softwarecombine
- agent/type
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2013-5855
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/oracle
- canonical/oracle mojarra javaserver faces
- version/oracle mojarra javaserver faces/2.1.0
- version/oracle mojarra javaserver faces/2.1.1
- version/oracle mojarra javaserver faces/2.1.2
- version/oracle mojarra javaserver faces/2.1.3
- version/oracle mojarra javaserver faces/2.1.4
- version/oracle mojarra javaserver faces/2.1.5
- version/oracle mojarra javaserver faces/2.1.6
- version/oracle mojarra javaserver faces/2.1.7
- version/oracle mojarra javaserver faces/2.1.8
- version/oracle mojarra javaserver faces/2.1.9
- version/oracle mojarra javaserver faces/2.1.10
- version/oracle mojarra javaserver faces/2.1.11
- version/oracle mojarra javaserver faces/2.1.12
- version/oracle mojarra javaserver faces/2.1.13
- version/oracle mojarra javaserver faces/2.1.14
- version/oracle mojarra javaserver faces/2.1.15
- version/oracle mojarra javaserver faces/2.1.16
- version/oracle mojarra javaserver faces/2.1.17
- version/oracle mojarra javaserver faces/2.1.18
- version/oracle mojarra javaserver faces/2.1.19
- version/oracle mojarra javaserver faces/2.1.20
- version/oracle mojarra javaserver faces/2.1.21
- version/oracle mojarra javaserver faces/2.1.22
- version/oracle mojarra javaserver faces/2.1.23
- version/oracle mojarra javaserver faces/2.1.24
- version/oracle mojarra javaserver faces/2.1.25
- version/oracle mojarra javaserver faces/2.1.26
- version/oracle mojarra javaserver faces/2.1.27
- version/oracle mojarra javaserver faces/2.2.0
- version/oracle mojarra javaserver faces/2.2.1
- version/oracle mojarra javaserver faces/2.2.2
- version/oracle mojarra javaserver faces/2.2.3
- version/oracle mojarra javaserver faces/2.2.4
- version/oracle mojarra javaserver faces/2.2.5