XSS and EL Statement Execution Vulnerability in Apache MyFaces 1.1.7 and 1.2.8
CVE-2010-2086

Currently unrated

Key Information:

Vendor: Apache
Status: Myfaces
Vendor: CVE Published:; 27 May 2010

What is CVE-2010-2086?

Apache MyFaces versions 1.1.7 and 1.2.8 are vulnerable due to improper handling of unencrypted view states, which can be exploited by remote attackers to perform cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements. This vulnerability occurs when attackers manipulate serialized view objects, leading to unauthorized actions or disclosure of sensitive data.

References

https://www.trustwave.com/spiderlabs/advisories/TWSL2010-...

x_refsource_MISC

http://www.blackhat.com/presentations/bh-dc-10/Byrne_Davi...

x_refsource_MISC

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability Reserved
Oct 3, 2022
Vulnerability published
May 27, 2010