PT-2010-3696 · Apache · Apache Myfaces
Published
2010-05-27
·
Updated
2022-05-17
·
CVE-2010-2086
CVSS v2.0
4.0
Medium
| Vector | AV:N/AC:H/Au:N/C:P/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
Apache MyFaces versions 1.1.7 and 1.2.8
Apache MyFaces versions prior to 1.1.7
Description
The issue allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object. This is due to the improper handling of an unencrypted view state.
Recommendations
For Apache MyFaces version 1.1.7, update to a version that properly handles encrypted view states.
For Apache MyFaces version 1.2.8, update to a version that properly handles encrypted view states.
For Apache MyFaces versions prior to 1.1.7, update to a version that properly handles encrypted view states.
As a temporary workaround, consider restricting access to the
serialized view object to minimize the risk of exploitation.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Myfaces