CVE-2010-2086: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

May 17, 2022 (updated February 8, 2024)

Apache MyFaces 1.1.7 and 1.2.8, as used in IBM WebSphere Application Server and other applications, does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object.

References

www.blackhat.com/presentations/bh-dc-10/Byrne_David/BlackHat-DC-2010-Byrne-SGUI-slides.pdf
github.com/advisories/GHSA-92cv-wv2c-8899
nvd.nist.gov/vuln/detail/CVE-2010-2086
www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt

Code Behaviors & Features

Detect and mitigate CVE-2010-2086 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →