Multiple cross-site scripting (XSS) vulnerabilities in certain JSF applications in Apache MyFaces Tomahawk before 1.1.6 allow remote attackers to inject arbitrary web script via the autoscroll parameter, which is injected into Javascript that is sent to the client.
issues.apache.org/jira/secure/ReleaseNote.jspa?version=12312536&styleName=Text&projectId=12310272
labs.idefense.com/intelligence/vulnerabilities/display.php?id=544
osvdb.org/36377
secunia.com/advisories/25618
www.securityfocus.com/bid/24480
www.vupen.com/english/advisories/2007/2212
exchange.xforce.ibmcloud.com/vulnerabilities/34872