CVE-2019-17091

Severity Score

6.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

faces/context/PartialViewContextImpl.java in Eclipse Mojarra, as used in Mojarra for Eclipse EE4J before 2.3.10 and Mojarra JavaServer Faces before 2.2.20, allows Reflected XSS because a client window field is mishandled.

El archivo faces/context/PartialViewContextImpl.java en Eclipse Mojarra, como es usado en Mojarra para Eclipse EE4J versiones anteriores a 2.3.10 y Mojarra JavaServer Faces versiones anteriores a 2.2.20, permite un ataque de tipo XSS Reflejado porque un campo client window es manejado inapropiadamente.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-10-02 CVE Reserved
2019-10-02 CVE Published
2024-08-05 CVE Updated
2024-08-05 First Exploit
2024-09-25 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (17)

URL	Tag	Source
https://github.com/eclipse-ee4j/mojarra/compare/2.3.9-RELEASE...2.3.10-RELEASE	Release Notes
https://github.com/eclipse-ee4j/mojarra/issues/4556	Third Party Advisory

URL	Date	SRC
https://bugs.eclipse.org/bugs/show_bug.cgi?id=548244	2024-08-05
https://github.com/eclipse-ee4j/mojarra/files/3039198/advisory.txt	2024-08-05

URL	Date	SRC
https://github.com/eclipse-ee4j/mojarra/commit/8f70f2bd024f00ecd5b3dcca45df73edda29dcee	2022-04-06
https://github.com/eclipse-ee4j/mojarra/commit/a3fa9573789ed5e867c43ea38374f4dbd5a8f81f	2022-04-06
https://github.com/eclipse-ee4j/mojarra/pull/4567	2022-04-06
https://github.com/javaserverfaces/mojarra/commit/ae1c234d0a6750822ac69d4ae26d90e3571f27fe	2022-04-06
https://github.com/javaserverfaces/mojarra/commit/f61935cd39f34329fbf27b1972a506fbdd0ab4d4	2022-04-06
https://github.com/javaserverfaces/mojarra/compare/2.2.19...2.2.20	2022-04-06
https://www.oracle.com/security-alerts/cpuapr2020.html	2022-04-06
https://www.oracle.com/security-alerts/cpujan2020.html	2022-04-06
https://www.oracle.com/security-alerts/cpujan2021.html	2022-04-06
https://www.oracle.com/security-alerts/cpujan2022.html	2022-04-06
https://www.oracle.com/security-alerts/cpujul2020.html	2022-04-06
https://www.oracle.com/security-alerts/cpuoct2020.html	2022-04-06
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html	2022-04-06

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Eclipse Search vendor "Eclipse"		Mojarra Search vendor "Eclipse" for product "Mojarra"				>= 2.3.0 < 2.3.10 Search vendor "Eclipse" for product "Mojarra" and version " >= 2.3.0 < 2.3.10"		-		Affected
Oracle Search vendor "Oracle"		Mojarra Javaserver Faces Search vendor "Oracle" for product "Mojarra Javaserver Faces"				>= 2.2.0 < 2.2.20 Search vendor "Oracle" for product "Mojarra Javaserver Faces" and version " >= 2.2.0 < 2.2.20"		-		Affected
Oracle Search vendor "Oracle"		Application Testing Suite Search vendor "Oracle" for product "Application Testing Suite"				13.2.0.1 Search vendor "Oracle" for product "Application Testing Suite" and version "13.2.0.1"		-		Affected
Oracle Search vendor "Oracle"		Application Testing Suite Search vendor "Oracle" for product "Application Testing Suite"				13.3.0.1 Search vendor "Oracle" for product "Application Testing Suite" and version "13.3.0.1"		-		Affected
Oracle Search vendor "Oracle"		Banking Enterprise Product Manufacturing Search vendor "Oracle" for product "Banking Enterprise Product Manufacturing"				2.7.0 Search vendor "Oracle" for product "Banking Enterprise Product Manufacturing" and version "2.7.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Enterprise Product Manufacturing Search vendor "Oracle" for product "Banking Enterprise Product Manufacturing"				2.8.0 Search vendor "Oracle" for product "Banking Enterprise Product Manufacturing" and version "2.8.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Diameter Signaling Router Search vendor "Oracle" for product "Communications Diameter Signaling Router"				>= 8.0.0.0 <= 8.4.0.5 Search vendor "Oracle" for product "Communications Diameter Signaling Router" and version " >= 8.0.0.0 <= 8.4.0.5"		-		Affected
Oracle Search vendor "Oracle"		Communications Network Integrity Search vendor "Oracle" for product "Communications Network Integrity"				7.3.5 Search vendor "Oracle" for product "Communications Network Integrity" and version "7.3.5"		-		Affected
Oracle Search vendor "Oracle"		Communications Network Integrity Search vendor "Oracle" for product "Communications Network Integrity"				7.3.6 Search vendor "Oracle" for product "Communications Network Integrity" and version "7.3.6"		-		Affected
Oracle Search vendor "Oracle"		Communications Unified Inventory Management Search vendor "Oracle" for product "Communications Unified Inventory Management"				7.3.0 Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.3.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Unified Inventory Management Search vendor "Oracle" for product "Communications Unified Inventory Management"				7.4.0 Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.4.0"		-		Affected
Oracle Search vendor "Oracle"		Enterprise Data Quality Search vendor "Oracle" for product "Enterprise Data Quality"				12.2.1.3.0 Search vendor "Oracle" for product "Enterprise Data Quality" and version "12.2.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Health Sciences Information Manager Search vendor "Oracle" for product "Health Sciences Information Manager"				3.0 Search vendor "Oracle" for product "Health Sciences Information Manager" and version "3.0"		-		Affected
Oracle Search vendor "Oracle"		Healthcare Data Repository Search vendor "Oracle" for product "Healthcare Data Repository"				7.0 Search vendor "Oracle" for product "Healthcare Data Repository" and version "7.0"		-		Affected
Oracle Search vendor "Oracle"		Primavera P6 Enterprise Project Portfolio Management Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management"				>= 15.1.0.0 <= 15.2.18.7 Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version " >= 15.1.0.0 <= 15.2.18.7"		-		Affected
Oracle Search vendor "Oracle"		Primavera P6 Enterprise Project Portfolio Management Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management"				>= 16.1.0.0 <= 16.2.19.0 Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version " >= 16.1.0.0 <= 16.2.19.0"		-		Affected
Oracle Search vendor "Oracle"		Primavera P6 Enterprise Project Portfolio Management Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management"				>= 17.1.0.0 <= 17.12.15.0 Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version " >= 17.1.0.0 <= 17.12.15.0"		-		Affected
Oracle Search vendor "Oracle"		Primavera P6 Enterprise Project Portfolio Management Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management"				>= 18.1.0.0 <= 18.8.15.0 Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version " >= 18.1.0.0 <= 18.8.15.0"		-		Affected
Oracle Search vendor "Oracle"		Primavera P6 Enterprise Project Portfolio Management Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management"				19.12.0.0 Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version "19.12.0.0"		-		Affected
Oracle Search vendor "Oracle"		Rapid Planning Search vendor "Oracle" for product "Rapid Planning"				12.1 Search vendor "Oracle" for product "Rapid Planning" and version "12.1"		-		Affected
Oracle Search vendor "Oracle"		Rapid Planning Search vendor "Oracle" for product "Rapid Planning"				12.2 Search vendor "Oracle" for product "Rapid Planning" and version "12.2"		-		Affected
Oracle Search vendor "Oracle"		Retail Advanced Inventory Planning Search vendor "Oracle" for product "Retail Advanced Inventory Planning"				15.0 Search vendor "Oracle" for product "Retail Advanced Inventory Planning" and version "15.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Advanced Inventory Planning Search vendor "Oracle" for product "Retail Advanced Inventory Planning"				16.0 Search vendor "Oracle" for product "Retail Advanced Inventory Planning" and version "16.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Assortment Planning Search vendor "Oracle" for product "Retail Assortment Planning"				16.0.3 Search vendor "Oracle" for product "Retail Assortment Planning" and version "16.0.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Bulk Data Integration Search vendor "Oracle" for product "Retail Bulk Data Integration"				16.0.3.0 Search vendor "Oracle" for product "Retail Bulk Data Integration" and version "16.0.3.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Financial Integration Search vendor "Oracle" for product "Retail Financial Integration"				15.0 Search vendor "Oracle" for product "Retail Financial Integration" and version "15.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Financial Integration Search vendor "Oracle" for product "Retail Financial Integration"				16.0 Search vendor "Oracle" for product "Retail Financial Integration" and version "16.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Integration Bus Search vendor "Oracle" for product "Retail Integration Bus"				15.0 Search vendor "Oracle" for product "Retail Integration Bus" and version "15.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Integration Bus Search vendor "Oracle" for product "Retail Integration Bus"				16.0 Search vendor "Oracle" for product "Retail Integration Bus" and version "16.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Invoice Matching Search vendor "Oracle" for product "Retail Invoice Matching"				16.0 Search vendor "Oracle" for product "Retail Invoice Matching" and version "16.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Merchandising System Search vendor "Oracle" for product "Retail Merchandising System"				16.0 Search vendor "Oracle" for product "Retail Merchandising System" and version "16.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Service Backbone Search vendor "Oracle" for product "Retail Service Backbone"				15.0 Search vendor "Oracle" for product "Retail Service Backbone" and version "15.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Service Backbone Search vendor "Oracle" for product "Retail Service Backbone"				16.0 Search vendor "Oracle" for product "Retail Service Backbone" and version "16.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Store Inventory Management Search vendor "Oracle" for product "Retail Store Inventory Management"				14.0.4 Search vendor "Oracle" for product "Retail Store Inventory Management" and version "14.0.4"		-		Affected
Oracle Search vendor "Oracle"		Retail Store Inventory Management Search vendor "Oracle" for product "Retail Store Inventory Management"				14.1.3 Search vendor "Oracle" for product "Retail Store Inventory Management" and version "14.1.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Store Inventory Management Search vendor "Oracle" for product "Retail Store Inventory Management"				15.0.3 Search vendor "Oracle" for product "Retail Store Inventory Management" and version "15.0.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Store Inventory Management Search vendor "Oracle" for product "Retail Store Inventory Management"				16.0.3 Search vendor "Oracle" for product "Retail Store Inventory Management" and version "16.0.3"		-		Affected
Oracle Search vendor "Oracle"		Secure Global Desktop Search vendor "Oracle" for product "Secure Global Desktop"				5.4 Search vendor "Oracle" for product "Secure Global Desktop" and version "5.4"		-		Affected
Oracle Search vendor "Oracle"		Secure Global Desktop Search vendor "Oracle" for product "Secure Global Desktop"				5.5 Search vendor "Oracle" for product "Secure Global Desktop" and version "5.5"		-		Affected
Oracle Search vendor "Oracle"		Time And Labor Search vendor "Oracle" for product "Time And Labor"				>= 12.2.6 <= 12.2.11 Search vendor "Oracle" for product "Time And Labor" and version " >= 12.2.6 <= 12.2.11"		-		Affected