CVE-2019-17091

CWE-79 — Cross-site Scripting (XSS)10 documents6 sources

Severity

6.1MEDIUM

EPSS

5.6%

top 9.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Eclipse Mojarra Oracle Mojarra Javaserver Faces Oracle Communications Diameter Signaling Router +20 more

Timeline

PublishedOct 2

Latest updateMay 24

Description

faces/context/PartialViewContextImpl.java in Eclipse Mojarra, as used in Mojarra for Eclipse EE4J before 2.3.10 and Mojarra JavaServer Faces before 2.2.20, allows Reflected XSS because a client window field is mishandled.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages25 packages

▶NVDoracle/mojarra_javaserver_faces2.2.0 — 2.2.20

▶NVDeclipse/mojarra2.3.0 — 2.3.10

▶Mavenorg.glassfish:javax.faces< 2.2.20

▶Mavenorg.glassfish:jakarta.faces< 2.3.10

▶NVDoracle/time_and_labor12.2.6 — 12.2.11

Patches

Patch: bugs.eclipse.org ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Cross-site Scripting in Eclipse Mojarra↗2022-05-24

▶

GHSA

Cross-site Scripting in Eclipse Mojarra↗2022-05-24

▶

CVEList

CVE-2019-17091: faces/context/PartialViewContextImpl↗2019-10-02

▶

📋Vendor Advisories

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: General (Eclipse Mojarra) — CVE-2019-17091↗2021-01-15

▶

Oracle

Oracle Oracle Communications Risk Matrix: Platform (Eclipse Mojarra) — CVE-2019-17091↗2020-10-15

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: Core (Eclipse Mojarra) — CVE-2019-17091↗2020-07-15

▶

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: Core (Eclipse Mojarra) — CVE-2019-17091↗2020-04-15

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: Maps (Mojarra) — CVE-2019-17091↗2020-01-15

▶