CVE-2010-2086

Aliases:GHSA-92cv-wv2c-8899
Advisory lineage Upstream: 0 Downstream: 1
Downstream
RHSA-2010:0119
Modified
Published: 27 May 2010, 18:32
Last modified:17 Sept 2024, 02:36

Vulnerability Summary

Overall Risk (default)
low
17/100
CVSS Score
4 MEDIUM
v2.0 (nvd)
EPSS Score
2.95% LOW
3% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

27 May 2010, 18:32
Published
Vulnerability first disclosed
17 Sept 2024, 02:36
Last Modified
Vulnerability information updated

Description

Apache MyFaces 1.1.7 and 1.2.8, as used in IBM WebSphere Application Server and other applications, does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object.

CVSS Metrics

  • v2.0MEDIUMScore: 4AV:N/AC:H/Au:N/C:P/I:P/A:N

EPSS Trends

Current EPSS score: 2.95% Percentile: 87%

Techniques & Countermeasures

  • CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Affected Systems

  • apachemyfaces

    1.1.7 | 1.2.8

  • org.apache.myfaces.coremyfaces-core-module

    ≤ 1.1.7 | ≥ 1.2.0, ≤ 1.2.8

References (4)