CVE-2010-2086

Apache Myfaces - XSS

Title source: rule

Description

Apache MyFaces 1.1.7 and 1.2.8, as used in IBM WebSphere Application Server and other applications, does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object.

References (2)

[Various Sources] http://www.blackhat.com/presentations/bh-dc-10/Byrne_David/BlackHat-DC-2010-Byrne-SGUI-slides.pdf

[Various Sources] https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt

Scores

EPSS 0.0295

EPSS Percentile 86.3%

Classification

CWE

CWE-79

Status published

Affected Products (4)

apache/myfaces

org.apache.myfaces.core/myfaces-core-module Maven

n/a/n/a

Timeline

Published May 27, 2010

Tracked Since Feb 18, 2026