CVE-2013-5855

Name of the Vulnerable Software and Affected Versions Oracle Mojarra versions 2.2.x through 2.2.5 Oracle Mojarra versions 2.1.x through 2.1.27

Description The issue arises from inadequate encoding when using a h:outputText tag or an EL expression after a script or style block, allowing remote attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors. This can be exploited by remote attackers to perform XSS attacks.

Recommendations For Oracle Mojarra versions 2.2.x through 2.2.5, update to version 2.2.6 or later. For Oracle Mojarra versions 2.1.x through 2.1.27, update to version 2.1.28 or later. As a temporary workaround, consider restricting the use of h:outputText tags and EL expressions after script or style blocks until a patch is available.