CVE-2010-2086

Apache MyFaces 1.1.7 and 1.2.8, as used in IBM WebSphere Application Server and other applications, does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:myfaces:1.1.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:myfaces:1.2.8:*:*:*:*:*:*:*

History

21 Nov 2024, 01:15

Type Values Removed Values Added
References () http://www.blackhat.com/presentations/bh-dc-10/Byrne_David/BlackHat-DC-2010-Byrne-SGUI-slides.pdf - () http://www.blackhat.com/presentations/bh-dc-10/Byrne_David/BlackHat-DC-2010-Byrne-SGUI-slides.pdf -
References () https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt - () https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -

Information

Published : 2010-05-27 19:00

Updated : 2024-11-21 01:15


NVD link : CVE-2010-2086

Mitre link : CVE-2010-2086

CVE.ORG link : CVE-2010-2086


JSON object : View

Products Affected

apache

  • myfaces
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')