Lucene search

[email protected]CVE-2010-2086

HistoryOct 03, 2022 - 4:21 p.m.

CVE-2010-2086

2022-10-0316:21:07

CWE-79

[email protected]

web.nvd.nist.gov

cve

2010

2086

apache

myfaces

ibm

websphere

application server

cross-site scripting

xss

expression language

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:P/A:N

6 Medium

AI Score

Confidence

High

0.024 Low

EPSS

Percentile

90.0%

JSON

Apache MyFaces 1.1.7 and 1.2.8, as used in IBM WebSphere Application Server and other applications, does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object.

Affected configurations

NVD

Node

apachemyfacesMatch1.1.7

apachemyfacesMatch1.2.8

CPENameOperatorVersion
apache:myfacesapache myfaceseq1.1.7
apache:myfacesapache myfaceseq1.2.8

CPE	Name	Operator	Version
apache:myfaces	apache myfaces	eq	1.1.7
apache:myfaces	apache myfaces	eq	1.2.8

References

www.blackhat.com/presentations/bh-dc-10/Byrne_David/BlackHat-DC-2010-Byrne-SGUI-slides.pdf

www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:P/A:N

6 Medium

AI Score

Confidence

High

0.024 Low

EPSS

Percentile

90.0%

JSON

Related for CVE-2010-2086

prion1 cvelist1 seebug1 osv1 nvd1 github1 redhat1