Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2013-5855

Опубликовано: 07 фев. 2014
Источник: redhat
CVSS2: 4.3
EPSS Низкий

Описание

Oracle Mojarra 2.2.x before 2.2.6 and 2.1.x before 2.1.28 does not perform appropriate encoding when a (1) <h:outputText> tag or (2) EL expression is used after a scriptor style block, which allows remote attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors.

It was found that Mojarra JavaServer Faces did not properly escape user-supplied content in certain circumstances. Contents of outputText tags and raw EL expressions that immediately follow script or style elements were not escaped. A remote attacker could use a specially crafted URL to execute arbitrary web script in the user's browser.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat BPM Suite 6JSFAffected
Red Hat JBoss BRMS 5JSFWill not fix
Red Hat JBoss BRMS 6JSFAffected
Red Hat JBoss Data Grid 6JSFNot affected
Red Hat JBoss Data Virtualization 6JSFAffected
Red Hat JBoss Enterprise Application Platform 5JSFWill not fix
Red Hat JBoss Enterprise Application Platform 6JSFAffected
Red Hat JBoss Enterprise Web Server 1eap-4Will not fix
Red Hat JBoss Enterprise Web Server 1JSFWill not fix
Red Hat JBoss Fuse Service Works 6JSFAffected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-79
https://bugzilla.redhat.com/show_bug.cgi?id=1065139JSF: XSS due to insufficient escaping of user-supplied content in outputText tags and EL expressions

EPSS

Процентиль: 85%
0.02752
Низкий

4.3 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2013-5855

ubuntu
больше 11 лет назад

Oracle Mojarra 2.2.x before 2.2.6 and 2.1.x before 2.1.28 does not perform appropriate encoding when a (1) <h:outputText> tag or (2) EL expression is used after a scriptor style block, which allows remote attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors.

nvd логотип

CVE-2013-5855

nvd
больше 11 лет назад

Oracle Mojarra 2.2.x before 2.2.6 and 2.1.x before 2.1.28 does not perform appropriate encoding when a (1) <h:outputText> tag or (2) EL expression is used after a scriptor style block, which allows remote attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors.

debian логотип

CVE-2013-5855

debian
больше 11 лет назад

Oracle Mojarra 2.2.x before 2.2.6 and 2.1.x before 2.1.28 does not per ...

github логотип

GHSA-3m3r-82gc-53mj

github
больше 3 лет назад

Improper Neutralization of Input During Web Page Generation in Mojarra

fstec логотип

BDU:2015-00734

fstec
больше 11 лет назад

Уязвимость программного обеспечения WebLogic Server, позволяющая удаленному злоумышленнику нарушить защищаемой информации

EPSS

Процентиль: 85%
0.02752
Низкий

4.3 Medium

CVSS2