4

CVSS Score

Basic Information

CVE ID

CVE-2010-2086

GHSA ID

GHSA-92cv-wv2c-8899

EPSS Score

0.78802%

CWE

CWE-79

Published

5/17/2022

Updated

2/8/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2010-2086

CVE-2010-2086: Apache MyFaces Cross-site Scripting vulnerability

Apache MyFaces 1.1.7 and 1.2.8 (All previous versions are likely vulnerable), as used in IBM WebSphere Application Server and other applications, does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object.

(GitHub Advisory)

4

CVSS Score

Basic Information

CVE ID

CVE-2010-2086

GHSA ID

GHSA-92cv-wv2c-8899

EPSS Score

0.78802%

CWE

CWE-79

Published

5/17/2022

Updated

2/8/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

AV:N/AC:H/Au:N/C:P/I:P/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.myfaces.core:myfaces-core-module	maven	<= 1.1.7
org.apache.myfaces.core:myfaces-core-module	maven	>= 1.2.0, <= 1.2.8

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper handling of unencrypted view states during deserialization. The StateManagerImpl.restoreView() method is directly responsible for reconstructing the view state from client input. In vulnerable MyFaces versions, this method did not enforce encryption or properly sanitize deserialized content, allowing attackers to inject malicious scripts/EL via modified view state objects. This matches the CWE-79 XSS pattern and aligns with the described attack vector involving serialized view object manipulation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** My****s *.*.* *n* *.*.* (*ll pr*vious v*rsions *r* lik*ly vuln*r**l*), *s us** in I*M W**Sp**r* *ppli**tion S*rv*r *n* ot**r *ppli**tions, *o*s not prop*rly **n*l* *n un*n*rypt** vi*w st*t*, w*i** *llows r*mot* *tt**k*rs to *on*u*t *ross-sit*

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* un*n*rypt** vi*w st*t*s *urin* **s*ri*liz*tion. T** `St*t*M*n***rImpl.r*stor*Vi*w()` m*t*o* is *ir**tly r*sponsi*l* *or r**onstru*tin* t** vi*w st*t* *rom *li*nt input. In vuln*r**l* My****s v*rsions,

4

Basic Information

Concerned about an active attack path?

CVE-2010-2086: Apache MyFaces Cross-site Scripting vulnerability

4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI