{ "threat_severity" : "Moderate", "public_date" : "2010-02-08T00:00:00Z", "bugzilla" : { "description" : "MyFaces: XSS via state view", "id" : "598164", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=598164" }, "cvss" : { "cvss_base_score" : "5.8", "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:P/I:P/A:N", "status" : "verified" }, "cwe" : "CWE-79", "details" : [ "Apache MyFaces 1.1.7 and 1.2.8, as used in IBM WebSphere Application Server and other applications, does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object.", "JBoss Enterprise Web Server 1.0.0 ships with Apache MyFaces 1.1.0. Apache MyFaces 1.1.0 does not support encrypted\nview state. When the application's view state is not encrypted, it is possible for an attacker to supply a new or modified view object as part of a request. This allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object.\nJBoss Enterprise Web Server 1.0.1 and later does not ship with Apache MyFaces. Upgrading to JBoss Enterprise Web Server 1.0.1 or later is recommended to mitigate this issue." ], "affected_release" : [ { "product_name" : "JBEWS 1.0 for RHEL 4", "release_date" : "2010-02-23T00:00:00Z", "advisory" : "RHSA-2010:0119", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el4", "package" : "glassfish-jsf-0:1.2_13-2.ep5.el4" }, { "product_name" : "JBEWS 1.0 for RHEL 4", "release_date" : "2010-02-23T00:00:00Z", "advisory" : "RHSA-2010:0119", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el4", "package" : "httpd22-0:2.2.14-4.ep5.el4" }, { "product_name" : "JBEWS 1.0 for RHEL 4", "release_date" : "2010-02-23T00:00:00Z", "advisory" : "RHSA-2010:0119", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el4", "package" : "jakarta-commons-chain-0:1.2-2.1.ep5.el4" }, { "product_name" : "JBEWS 1.0 for RHEL 4", "release_date" : "2010-02-23T00:00:00Z", "advisory" : "RHSA-2010:0119", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el4", "package" : "jakarta-commons-digester-0:1.8.1-7.ep5.el4" }, { "product_name" : "JBEWS 1.0 for RHEL 4", "release_date" : "2010-02-23T00:00:00Z", "advisory" : "RHSA-2010:0119", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el4", "package" : "jakarta-commons-io-0:1.4-1.ep5.el4" }, { "product_name" : "JBEWS 1.0 for RHEL 4", "release_date" : "2010-02-23T00:00:00Z", "advisory" : "RHSA-2010:0119", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el4", "package" : "jakarta-commons-modeler-0:2.0-3.3.ep5.el4" }, { "product_name" : "JBEWS 1.0 for RHEL 4", "release_date" : "2010-02-23T00:00:00Z", "advisory" : "RHSA-2010:0119", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el4", "package" : "jakarta-commons-validator-0:1.3.1-7.4.ep5.el4" }, { "product_name" : "JBEWS 1.0 for RHEL 4", "release_date" : "2010-02-23T00:00:00Z", "advisory" : "RHSA-2010:0119", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el4", "package" : "jakarta-oro-0:2.0.8-3jpp.ep1.3.ep5.el4" }, { "product_name" : "JBEWS 1.0 for RHEL 4", "release_date" : "2010-02-23T00:00:00Z", "advisory" : "RHSA-2010:0119", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el4", "package" : "jboss-javaee-0:5.0.1-2.3.ep5.el4" }, { "product_name" : "JBEWS 1.0 for RHEL 4", "release_date" : "2010-02-23T00:00:00Z", "advisory" : "RHSA-2010:0119", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el4", "package" : "mod_jk-0:1.2.28-4.ep5.el4" }, { "product_name" : "JBEWS 1.0 for RHEL 4", "release_date" : "2010-02-23T00:00:00Z", "advisory" : "RHSA-2010:0119", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el4", "package" : "struts12-0:1.2.9-2.ep5.el4" }, { "product_name" : "JBEWS 1.0 for RHEL 4", "release_date" : "2010-02-23T00:00:00Z", "advisory" : "RHSA-2010:0119", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el4", "package" : "tomcat5-0:5.5.28-7.ep5.el4" }, { "product_name" : "JBEWS 1.0 for RHEL 4", "release_date" : "2010-02-23T00:00:00Z", "advisory" : "RHSA-2010:0119", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el4", "package" : "tomcat6-0:6.0.24-2.ep5.el4" }, { "product_name" : "JBEWS 1.0 for RHEL 4", "release_date" : "2010-02-23T00:00:00Z", "advisory" : "RHSA-2010:0119", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el4", "package" : "tomcat-native-0:1.1.19-2.0.ep5.el4" }, { "product_name" : "JBEWS 1.0 for RHEL 4", "release_date" : "2010-02-23T00:00:00Z", "advisory" : "RHSA-2010:0119", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el4", "package" : "xerces-j2-0:2.9.1-2.2_patch_01.ep5.el4" }, { "product_name" : "JBEWS 1.0 for RHEL 4", "release_date" : "2010-02-23T00:00:00Z", "advisory" : "RHSA-2010:0119", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el4", "package" : "xml-commons-resolver12-1:1.2-1.1.ep5.el4" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 1 for RHEL 5", "release_date" : "2010-02-23T00:00:00Z", "advisory" : "RHSA-2010:0119", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el5", "package" : "glassfish-jsf-0:1.2_13-3.ep5.el5" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 1 for RHEL 5", "release_date" : "2010-02-23T00:00:00Z", "advisory" : "RHSA-2010:0119", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el5", "package" : "httpd-0:2.2.14-1.2.1.ep5.el5" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 1 for RHEL 5", "release_date" : "2010-02-23T00:00:00Z", "advisory" : "RHSA-2010:0119", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el5", "package" : "jakarta-commons-chain-0:1.2-2.1.1.ep5.el5" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 1 for RHEL 5", "release_date" : "2010-02-23T00:00:00Z", "advisory" : "RHSA-2010:0119", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el5", "package" : "jakarta-commons-io-0:1.4-1.1.ep5.el5" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 1 for RHEL 5", "release_date" : "2010-02-23T00:00:00Z", "advisory" : "RHSA-2010:0119", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el5", "package" : "jakarta-oro-0:2.0.8-3.1.ep5.el5" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 1 for RHEL 5", "release_date" : "2010-02-23T00:00:00Z", "advisory" : "RHSA-2010:0119", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el5", "package" : "mod_jk-0:1.2.28-4.1.ep5.el5" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 1 for RHEL 5", "release_date" : "2010-02-23T00:00:00Z", "advisory" : "RHSA-2010:0119", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el5", "package" : "struts12-0:1.2.9-2.ep5.el5" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 1 for RHEL 5", "release_date" : "2010-02-23T00:00:00Z", "advisory" : "RHSA-2010:0119", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el5", "package" : "tomcat5-0:5.5.28-7.1.ep5.el5" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 1 for RHEL 5", "release_date" : "2010-02-23T00:00:00Z", "advisory" : "RHSA-2010:0119", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el5", "package" : "tomcat6-0:6.0.24-2.1.ep5.el5" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 1 for RHEL 5", "release_date" : "2010-02-23T00:00:00Z", "advisory" : "RHSA-2010:0119", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el5", "package" : "tomcat-native-0:1.1.19-2.0.1.ep5.el5" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2010-2086\nhttps://nvd.nist.gov/vuln/detail/CVE-2010-2086" ], "name" : "CVE-2010-2086", "csaw" : false }