XSS and EL Statement Execution Vulnerability in Apache MyFaces 1.1.7 and 1.2.8

CVE-2010-2086

Summary

Apache MyFaces versions 1.1.7 and 1.2.8 are vulnerable due to improper handling of unencrypted view states, which can be exploited by remote attackers to perform cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements. This vulnerability occurs when attackers manipulate serialized view objects, leading to unauthorized actions or disclosure of sensitive data.

References