CVE-2010-2086

Name of the Vulnerable Software and Affected Versions Apache MyFaces versions 1.1.7 and 1.2.8 Apache MyFaces versions prior to 1.1.7

Description The issue allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object. This is due to the improper handling of an unencrypted view state.

Recommendations For Apache MyFaces version 1.1.7, update to a version that properly handles encrypted view states. For Apache MyFaces version 1.2.8, update to a version that properly handles encrypted view states. For Apache MyFaces versions prior to 1.1.7, update to a version that properly handles encrypted view states. As a temporary workaround, consider restricting access to the serialized view object to minimize the risk of exploitation.