CVE-2010-2086

Apache MyFaces 1.1.7 and 1.2.8, as used in IBM WebSphere Application Server and other applications, does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object.

Published Bycve@mitre.org

Published DateMay 27, 2010, 19:00

Affected Versions(2)

org.apache.myfaces.core:myfaces-core-module(Maven)

Introduced0

FixedN/A

LimitN/A

org.apache.myfaces.core:myfaces-core-module(Maven)

Introduced1.2.0

FixedN/A

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.apache.myfaces.core:myfaces-core-module(Maven)	0	N/A	N/A
org.apache.myfaces.core:myfaces-core-module(Maven)	1.2.0	N/A	N/A

Weakness Type (CWE):CWE-79

CVSS Metrics

Base Score

Vector String

AV:N/AC:H/Au:N/C:P/I:P/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

NONE

References

Weakness Type (CWE):CWE-79

CVSS Metrics

Base Score

Vector String

AV:N/AC:H/Au:N/C:P/I:P/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

NONE