CVE-2019-17091
Severity CVSS v4.0:
Pending analysis
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
02/10/2019
Last modified:
06/04/2022
Description
faces/context/PartialViewContextImpl.java in Eclipse Mojarra, as used in Mojarra for Eclipse EE4J before 2.3.10 and Mojarra JavaServer Faces before 2.2.20, allows Reflected XSS because a client window field is mishandled.
Impact
Base Score 3.x
6.10
Severity 3.x
MEDIUM
Base Score 2.0
4.30
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:eclipse:mojarra:*:*:*:*:*:*:*:* | 2.3.0 (including) | 2.3.10 (excluding) |
| cpe:2.3:a:oracle:mojarra_javaserver_faces:*:*:*:*:*:*:*:* | 2.2.0 (including) | 2.2.20 (excluding) |
| cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:banking_enterprise_product_manufacturing:2.7.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:banking_enterprise_product_manufacturing:2.8.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:* | 8.0.0.0 (including) | 8.4.0.5 (including) |
| cpe:2.3:a:oracle:communications_network_integrity:7.3.5:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:enterprise_data_quality:12.2.1.3.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:health_sciences_information_manager:3.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:healthcare_data_repository:7.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:* | 15.1.0.0 (including) | 15.2.18.7 (including) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=548244
- https://github.com/eclipse-ee4j/mojarra/commit/8f70f2bd024f00ecd5b3dcca45df73edda29dcee
- https://github.com/eclipse-ee4j/mojarra/commit/a3fa9573789ed5e867c43ea38374f4dbd5a8f81f
- https://github.com/eclipse-ee4j/mojarra/compare/2.3.9-RELEASE...2.3.10-RELEASE
- https://github.com/eclipse-ee4j/mojarra/files/3039198/advisory.txt
- https://github.com/eclipse-ee4j/mojarra/issues/4556
- https://github.com/eclipse-ee4j/mojarra/pull/4567
- https://github.com/javaserverfaces/mojarra/commit/ae1c234d0a6750822ac69d4ae26d90e3571f27fe
- https://github.com/javaserverfaces/mojarra/commit/f61935cd39f34329fbf27b1972a506fbdd0ab4d4
- https://github.com/javaserverfaces/mojarra/compare/2.2.19...2.2.20
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html