CVE-2010-2086
Apache MyFaces 1.1.7 and 1.2.8 - Cross-Site Scripting and Arbitrary EL Execution via Unencrypted View State
Title source: llmDescription
Apache MyFaces 1.1.7 and 1.2.8, as used in IBM WebSphere Application Server and other applications, does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object.
References (2)
Core 2
Core References
Various Sources x_refsource_misc
https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt
Various Sources x_refsource_misc
http://www.blackhat.com/presentations/bh-dc-10/Byrne_David/BlackHat-DC-2010-Byrne-SGUI-slides.pdf
Scores
EPSS
0.0212
EPSS Percentile
79.8%
Details
CWE
CWE-79
Status
published
Products (3)
apache/myfaces
1.1.7
apache/myfaces
1.2.8
org.apache.myfaces.core/myfaces-core-module
0Maven
Published
May 27, 2010
Tracked Since
Feb 18, 2026