CVE-2010-2086
MyFaces: XSS via state view
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Apache MyFaces 1.1.7 and 1.2.8, as used in IBM WebSphere Application Server and other applications, does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object.
Apache MyFaces v1.1.7 y v1.2.8, como el usado en IBM WebSphere Application Server y otras aplicaciones, no maneja de forma adecuada el estado de vista no cifrada lo que permite a atacantes remotos para conducir ataques de ejecución de secuencias de comandos en sitios cruzados (XSS) o ejecutar código Expression Language (EL) a través de vectores que implican modificar el objeto vista serializada.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2010-05-27 CVE Reserved
- 2010-05-27 CVE Published
- 2024-09-17 CVE Updated
- 2024-09-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (4)
URL | Tag | Source |
---|---|---|
http://www.blackhat.com/presentations/bh-dc-10/Byrne_David/BlackHat-DC-2010-Byrne-SGUI-slides.pdf | X_refsource_misc | |
https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt | X_refsource_misc |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2010-2086 | 2010-02-23 | |
https://bugzilla.redhat.com/show_bug.cgi?id=598164 | 2010-02-23 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Apache Search vendor "Apache" | Myfaces Search vendor "Apache" for product "Myfaces" | 1.1.7 Search vendor "Apache" for product "Myfaces" and version "1.1.7" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Myfaces Search vendor "Apache" for product "Myfaces" | 1.2.8 Search vendor "Apache" for product "Myfaces" and version "1.2.8" | - |
Affected
|