CVE-2013-5855: XSS due to insufficient escaping of user-supplied content in outputText tags and EL expressions

July 17, 2014 (updated October 9, 2018)

This package does not perform appropriate encoding when a <h:outputText> tag or EL expression is used after a scriptor style block, which allows remote attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors.

References

h30499.www3.hp.com/t5/HP-Security-Research-Blog/JSF-outputText-tag-the-good-the-bad-and-the-ugly/bc-p/6370209
bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-5855
java.net/jira/browse/JAVASERVERFACES-3150

Code Behaviors & Features

Detect and mitigate CVE-2013-5855 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →