CVE-2010-2086: Apache MyFaces Cross-site Scripting vulnerability
4
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.78802%
CWE
Published
5/17/2022
Updated
2/8/2024
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
AV:N/AC:H/Au:N/C:P/I:P/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.myfaces.core:myfaces-core-module | maven | <= 1.1.7 | |
org.apache.myfaces.core:myfaces-core-module | maven | >= 1.2.0, <= 1.2.8 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper handling of unencrypted view states during deserialization. The StateManagerImpl.restoreView()
method is directly responsible for reconstructing the view state from client input. In vulnerable MyFaces versions, this method did not enforce encryption or properly sanitize deserialized content, allowing attackers to inject malicious scripts/EL via modified view state objects. This matches the CWE-79 XSS pattern and aligns with the described attack vector involving serialized view object manipulation.