CVE-2010-2086

CWE-79 — Cross-site Scripting (XSS)9 documents7 sources

Severity

4.0MEDIUM

EPSS

2.9%

top 13.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Myfaces

Timeline

PublishedMay 27

Latest updateMay 17

Description

Apache MyFaces 1.1.7 and 1.2.8, as used in IBM WebSphere Application Server and other applications, does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object.

CVSS vector

AV:N/AC:H/C:P/I:P/A:NExploitability: 4.9 | Impact: 4.9

Affected Packages2 packages

▶Mavenorg.apache.myfaces.core:myfaces-core-module1.2.0 — 1.2.8+1

▶NVDapache/myfaces1.1.7, 1.2.8+1

🔴Vulnerability Details

GHSA

Apache MyFaces Cross-site Scripting vulnerability↗2022-05-17

▶

OSV

Apache MyFaces Cross-site Scripting vulnerability↗2022-05-17

▶

CVEList

CVE-2010-2086: Apache MyFaces 1↗2010-05-27

▶

💥Exploits & PoCs

Exploit-DB

phpBB - 'viewtopic.php' Arbitrary Code Execution (Metasploit)↗2010-07-03

▶

Exploit-DB

Juniper SSL-VPN IVE - 'JuniperSetupDLL.dll' ActiveX Control Buffer Overflow (Metasploit)↗2010-05-09

▶

Exploit-DB

Sambar Server 6 - Search Results Buffer Overflow (Metasploit)↗2010-02-13

▶

📋Vendor Advisories

Red Hat

MyFaces: XSS via state view↗2010-02-08

▶

💬Community

Bugzilla

CVE-2010-2086 MyFaces: XSS via state view↗2010-05-31

▶