CVE-2013-5855
JSF: XSS due to insufficient escaping of user-supplied content in outputText tags and EL expressions
Severity Score
4.3
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Oracle Mojarra 2.2.x before 2.2.6 and 2.1.x before 2.1.28 does not perform appropriate encoding when a (1) <h:outputText> tag or (2) EL expression is used after a scriptor style block, which allows remote attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors.
Oracle Mojarra 2.2.x anterior a 2.2.6 y 2.1.x anterior a 2.1.28 no realiza la codificación debida cuando se utilice (1) una etiqueta o (2) una expresión EL después de un bloque del estilo scriptor, lo que permite a atacantes remotos realizar ataques de XSS a través de vectores específicos de una aplicación.
It was found that Mojarra JavaServer Faces did not properly escape user-supplied content in certain circumstances. Contents of outputText tags and raw EL expressions that immediately follow script or style elements were not escaped. A remote attacker could use a specially crafted URL to execute arbitrary web script in the user's browser.
Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems such as multiple databases, XML files, and even Hadoop systems appear as a set of tables in a local database. The release of Red Hat JBoss Data Virtualization 6.1.0 serves as a replacement for Red Hat JBoss Data Virtualization 6.0.0. It includes various bug fixes, which are listed in the README file included with the patch files.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2013-09-18 CVE Reserved
- 2014-07-16 CVE Published
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (14)
| URL | Tag | Source |
|---|---|---|
| http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/JSF-outputText-tag-the-good-the-bad-and-the-ugly/ba-p/6368011#.U8ccVPlXZHU | X_refsource_misc | |
| http://seclists.org/fulldisclosure/2014/Dec/23 | Mailing List |
|
| http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html | X_refsource_confirm |
|
| http://www.securityfocus.com/archive/1/534161/100/0/threaded | Mailing List | |
| http://www.securityfocus.com/bid/65600 | Vdb Entry | |
| http://www.vmware.com/security/advisories/VMSA-2014-0012.html | X_refsource_confirm | |
| https://java.net/jira/browse/JAVASERVERFACES-3150 | X_refsource_confirm | |
| https://java.net/jira/browse/JAVASERVERFACES_SPEC_PUBLIC-1258 | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2015-0675.html | 2018-10-09 | |
| http://rhn.redhat.com/errata/RHSA-2015-0720.html | 2018-10-09 | |
| http://rhn.redhat.com/errata/RHSA-2015-0765.html | 2018-10-09 | |
| http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html | 2018-10-09 | |
| https://access.redhat.com/security/cve/CVE-2013-5855 | 2015-05-14 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1065139 | 2015-05-14 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.1.0 Search vendor "Oracle" for product "Mojarra" and version "2.1.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.1.1 Search vendor "Oracle" for product "Mojarra" and version "2.1.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.1.2 Search vendor "Oracle" for product "Mojarra" and version "2.1.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.1.3 Search vendor "Oracle" for product "Mojarra" and version "2.1.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.1.4 Search vendor "Oracle" for product "Mojarra" and version "2.1.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.1.5 Search vendor "Oracle" for product "Mojarra" and version "2.1.5" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.1.6 Search vendor "Oracle" for product "Mojarra" and version "2.1.6" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.1.7 Search vendor "Oracle" for product "Mojarra" and version "2.1.7" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.1.8 Search vendor "Oracle" for product "Mojarra" and version "2.1.8" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.1.9 Search vendor "Oracle" for product "Mojarra" and version "2.1.9" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.1.10 Search vendor "Oracle" for product "Mojarra" and version "2.1.10" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.1.11 Search vendor "Oracle" for product "Mojarra" and version "2.1.11" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.1.12 Search vendor "Oracle" for product "Mojarra" and version "2.1.12" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.1.13 Search vendor "Oracle" for product "Mojarra" and version "2.1.13" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.1.14 Search vendor "Oracle" for product "Mojarra" and version "2.1.14" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.1.15 Search vendor "Oracle" for product "Mojarra" and version "2.1.15" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.1.16 Search vendor "Oracle" for product "Mojarra" and version "2.1.16" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.1.17 Search vendor "Oracle" for product "Mojarra" and version "2.1.17" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.1.18 Search vendor "Oracle" for product "Mojarra" and version "2.1.18" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.1.19 Search vendor "Oracle" for product "Mojarra" and version "2.1.19" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.1.20 Search vendor "Oracle" for product "Mojarra" and version "2.1.20" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.1.21 Search vendor "Oracle" for product "Mojarra" and version "2.1.21" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.1.22 Search vendor "Oracle" for product "Mojarra" and version "2.1.22" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.1.23 Search vendor "Oracle" for product "Mojarra" and version "2.1.23" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.1.24 Search vendor "Oracle" for product "Mojarra" and version "2.1.24" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.1.25 Search vendor "Oracle" for product "Mojarra" and version "2.1.25" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.1.26 Search vendor "Oracle" for product "Mojarra" and version "2.1.26" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.1.27 Search vendor "Oracle" for product "Mojarra" and version "2.1.27" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.2.0 Search vendor "Oracle" for product "Mojarra" and version "2.2.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.2.1 Search vendor "Oracle" for product "Mojarra" and version "2.2.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.2.2 Search vendor "Oracle" for product "Mojarra" and version "2.2.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.2.3 Search vendor "Oracle" for product "Mojarra" and version "2.2.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.2.4 Search vendor "Oracle" for product "Mojarra" and version "2.2.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mojarra Search vendor "Oracle" for product "Mojarra" | 2.2.5 Search vendor "Oracle" for product "Mojarra" and version "2.2.5" | - |
Affected
| ||||||