CVE-2010-2086

Apache MyFaces 1.1.7 and 1.2.8 - Cross-Site Scripting and Arbitrary EL Execution via Unencrypted View State

Title source: llm
STIX 2.1

Description

Apache MyFaces 1.1.7 and 1.2.8, as used in IBM WebSphere Application Server and other applications, does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object.

Scores

EPSS 0.0212
EPSS Percentile 79.8%

Details

CWE
CWE-79
Status published
Products (3)
apache/myfaces 1.1.7
apache/myfaces 1.2.8
org.apache.myfaces.core/myfaces-core-module 0Maven
Published May 27, 2010
Tracked Since Feb 18, 2026