{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-07-15T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Oracle Mojarra 2.2.x before 2.2.6 and 2.1.x before 2.1.28 does not perform appropriate encoding when a (1) <h:outputText> tag or (2) EL expression is used after a scriptor style block, which allows remote attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-09T18:57:01.000Z", "orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle"}, "references": [{"name": "RHSA-2015:0765", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html"}, {"tags": ["x_refsource_MISC"], "url": "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/JSF-outputText-tag-the-good-the-bad-and-the-ugly/ba-p/6368011#.U8ccVPlXZHU"}, {"name": "RHSA-2015:0675", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html"}, {"name": "RHSA-2015:0720", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html"}, {"name": "65600", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/65600"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://java.net/jira/browse/JAVASERVERFACES_SPEC_PUBLIC-1258"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html"}, {"name": "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/534161/100/0/threaded"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://java.net/jira/browse/JAVASERVERFACES-3150"}, {"name": "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2014/Dec/23"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert_us@oracle.com", "ID": "CVE-2013-5855", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Oracle Mojarra 2.2.x before 2.2.6 and 2.1.x before 2.1.28 does not perform appropriate encoding when a (1) <h:outputText> tag or (2) EL expression is used after a scriptor style block, which allows remote attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "RHSA-2015:0765", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html"}, {"name": "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/JSF-outputText-tag-the-good-the-bad-and-the-ugly/ba-p/6368011#.U8ccVPlXZHU", "refsource": "MISC", "url": "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/JSF-outputText-tag-the-good-the-bad-and-the-ugly/ba-p/6368011#.U8ccVPlXZHU"}, {"name": "RHSA-2015:0675", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html"}, {"name": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html", "refsource": "CONFIRM", "url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html"}, {"name": "RHSA-2015:0720", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html"}, {"name": "65600", "refsource": "BID", "url": "http://www.securityfocus.com/bid/65600"}, {"name": "https://java.net/jira/browse/JAVASERVERFACES_SPEC_PUBLIC-1258", "refsource": "CONFIRM", "url": "https://java.net/jira/browse/JAVASERVERFACES_SPEC_PUBLIC-1258"}, {"name": "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html"}, {"name": "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/534161/100/0/threaded"}, {"name": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html"}, {"name": "https://java.net/jira/browse/JAVASERVERFACES-3150", "refsource": "CONFIRM", "url": "https://java.net/jira/browse/JAVASERVERFACES-3150"}, {"name": "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2014/Dec/23"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T17:22:31.230Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2015:0765", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/JSF-outputText-tag-the-good-the-bad-and-the-ugly/ba-p/6368011#.U8ccVPlXZHU"}, {"name": "RHSA-2015:0675", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html"}, {"name": "RHSA-2015:0720", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html"}, {"name": "65600", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/65600"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://java.net/jira/browse/JAVASERVERFACES_SPEC_PUBLIC-1258"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html"}, {"name": "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/534161/100/0/threaded"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://java.net/jira/browse/JAVASERVERFACES-3150"}, {"name": "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2014/Dec/23"}]}]}, "cveMetadata": {"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "assignerShortName": "oracle", "cveId": "CVE-2013-5855", "datePublished": "2014-07-17T02:36:00.000Z", "dateReserved": "2013-09-18T00:00:00.000Z", "dateUpdated": "2024-08-06T17:22:31.230Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:mojarra:2.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "8D545A6A-CA1E-40F4-AFEF-8A22F1963959", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mojarra:2.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "F9ED4467-18CC-4710-8343-0B5D3F1E0E8E", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mojarra:2.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "2629C89A-14F7-4642-ABC7-17428751563B", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mojarra:2.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "0C44BE8D-C99C-45B7-BE72-5B4587F11DD5", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mojarra:2.1.4:*:*:*:*:*:*:*", "matchCriteriaId": "2BE4C509-061C-49FF-99CA-848EF82F0FFA", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mojarra:2.1.5:*:*:*:*:*:*:*", "matchCriteriaId": "283ECF0D-ED11-4D5C-8995-E93785CD1886", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mojarra:2.1.6:*:*:*:*:*:*:*", "matchCriteriaId": "8F8F944C-42A2-4E4D-AB97-3800FE7BA086", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mojarra:2.1.7:*:*:*:*:*:*:*", "matchCriteriaId": "C4FC9BF2-44D9-4514-950D-84E75E27C9BA", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mojarra:2.1.8:*:*:*:*:*:*:*", "matchCriteriaId": "D1ADC8E6-C052-4A4E-B840-4DF68CEFE409", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mojarra:2.1.9:*:*:*:*:*:*:*", "matchCriteriaId": "D2C62BDE-8BF2-4389-9511-BF8B54BF0E2E", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mojarra:2.1.10:*:*:*:*:*:*:*", "matchCriteriaId": "D3AB62D2-3836-43A9-8209-ECC01298DDF7", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mojarra:2.1.11:*:*:*:*:*:*:*", "matchCriteriaId": "CCC9D019-DE8F-4431-A79A-AD3507F993AA", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mojarra:2.1.12:*:*:*:*:*:*:*", "matchCriteriaId": "6E9DEC24-5347-4A2D-A705-74AEFFF0BB59", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mojarra:2.1.13:*:*:*:*:*:*:*", "matchCriteriaId": "3865ED07-C221-4A83-8048-747A030E163F", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mojarra:2.1.14:*:*:*:*:*:*:*", "matchCriteriaId": "06463192-2C6E-4059-9D56-B3C7D56616A1", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mojarra:2.1.15:*:*:*:*:*:*:*", "matchCriteriaId": "19A02DAC-B2D0-4043-A9C5-0297D555B79E", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mojarra:2.1.16:*:*:*:*:*:*:*", "matchCriteriaId": "3308CD3A-7D58-4251-85E4-AE16552CA850", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mojarra:2.1.17:*:*:*:*:*:*:*", "matchCriteriaId": "6460D8F1-762C-4703-B32F-2D3AF3075609", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mojarra:2.1.18:*:*:*:*:*:*:*", "matchCriteriaId": "8F53DF75-0B83-4260-9F1C-9131FDAEC751", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mojarra:2.1.19:*:*:*:*:*:*:*", "matchCriteriaId": "B2E4A67F-0E82-4C15-8A07-5FA58EA6C43E", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mojarra:2.1.20:*:*:*:*:*:*:*", "matchCriteriaId": "56A24C0C-13B2-4E8F-8677-B43D0E81459F", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mojarra:2.1.21:*:*:*:*:*:*:*", "matchCriteriaId": "656F4F63-5818-45DB-B616-3A82627CBE0C", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mojarra:2.1.22:*:*:*:*:*:*:*", "matchCriteriaId": "AA2C9A44-4977-4D8F-8713-4B8CD08C9C0C", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mojarra:2.1.23:*:*:*:*:*:*:*", "matchCriteriaId": "970027E5-EC84-4C9F-BB48-0EEDF9C84A1C", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mojarra:2.1.24:*:*:*:*:*:*:*", "matchCriteriaId": "B78471D0-5C90-479F-9318-ACF4CC0CF44B", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mojarra:2.1.25:*:*:*:*:*:*:*", "matchCriteriaId": "88338F11-4E7D-451D-A265-0EFED5230CCF", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mojarra:2.1.26:*:*:*:*:*:*:*", "matchCriteriaId": "A5BC2BE1-4500-4ABA-A9BF-E84D433C9644", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mojarra:2.1.27:*:*:*:*:*:*:*", "matchCriteriaId": "7DF0069D-EA77-476A-8D74-77D29221391C", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mojarra:2.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "D53E07D9-826D-4CCB-BFD0-345F3AB669C3", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mojarra:2.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "A506B90E-C4BE-4A16-901E-5D21AAE4FFD2", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mojarra:2.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "945AF3FF-57F8-434C-8B2C-753E9E791A0D", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mojarra:2.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "9AC60987-2D5B-44A6-BB4B-4E34B095C4C7", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mojarra:2.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "FC5653BF-E8E4-4844-BFBD-9275DF072173", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mojarra:2.2.5:*:*:*:*:*:*:*", "matchCriteriaId": "2CD86AF0-3DA1-4A1C-BFAC-1A0ED1B76CDB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Oracle Mojarra 2.2.x before 2.2.6 and 2.1.x before 2.1.28 does not perform appropriate encoding when a (1) <h:outputText> tag or (2) EL expression is used after a scriptor style block, which allows remote attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors."}, {"lang": "es", "value": "Oracle Mojarra 2.2.x anterior a 2.2.6 y 2.1.x anterior a 2.1.28 no realiza la codificaci\u00f3n debida cuando se utilice (1) una etiqueta o (2) una expresi\u00f3n EL despu\u00e9s de un bloque del estilo scriptor, lo que permite a atacantes remotos realizar ataques de XSS a trav\u00e9s de vectores espec\u00edficos de una aplicaci\u00f3n."}], "id": "CVE-2013-5855", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2014-07-17T05:10:13.937", "references": [{"source": "secalert_us@oracle.com", "url": "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/JSF-outputText-tag-the-good-the-bad-and-the-ugly/ba-p/6368011#.U8ccVPlXZHU"}, {"source": "secalert_us@oracle.com", "url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html"}, {"source": "secalert_us@oracle.com", "url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html"}, {"source": "secalert_us@oracle.com", "url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html"}, {"source": "secalert_us@oracle.com", "url": "http://seclists.org/fulldisclosure/2014/Dec/23"}, {"source": "secalert_us@oracle.com", "url": "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html"}, {"source": "secalert_us@oracle.com", "tags": ["Vendor Advisory"], "url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html"}, {"source": "secalert_us@oracle.com", "url": "http://www.securityfocus.com/archive/1/534161/100/0/threaded"}, {"source": "secalert_us@oracle.com", "url": "http://www.securityfocus.com/bid/65600"}, {"source": "secalert_us@oracle.com", "url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html"}, {"source": "secalert_us@oracle.com", "url": "https://java.net/jira/browse/JAVASERVERFACES-3150"}, {"source": "secalert_us@oracle.com", "url": "https://java.net/jira/browse/JAVASERVERFACES_SPEC_PUBLIC-1258"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/JSF-outputText-tag-the-good-the-bad-and-the-ugly/ba-p/6368011#.U8ccVPlXZHU"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2014/Dec/23"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/534161/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/65600"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://java.net/jira/browse/JAVASERVERFACES-3150"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://java.net/jira/browse/JAVASERVERFACES_SPEC_PUBLIC-1258"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2015:0234", "cpe": "cpe:/a:redhat:jboss_bpms:6.0", "product_name": "Red Hat JBoss BPMS 6.0", "release_date": "2015-02-17T00:00:00Z"}, {"advisory": "RHSA-2015:0235", "cpe": "cpe:/a:redhat:jboss_brms:6.0", "product_name": "Red Hat JBoss BRMS 6.0", "release_date": "2015-02-17T00:00:00Z"}, {"advisory": "RHSA-2015:0765", "cpe": "cpe:/a:redhat:jboss_data_virtualization:6.0", "product_name": "Red Hat JBoss Data Virtualization 6.0", "release_date": "2015-03-31T00:00:00Z"}, {"advisory": "RHSA-2015:0675", "cpe": "cpe:/a:redhat:jboss_data_virtualization:6.1", "product_name": "Red Hat JBoss Data Virtualization 6.1", "release_date": "2015-03-11T00:00:00Z"}, {"advisory": "RHSA-2015:0720", "cpe": "cpe:/a:redhat:jboss_fuse_service_works:6.0", "product_name": "Red Hat JBoss Fuse Service Works 6.0", "release_date": "2015-03-24T00:00:00Z"}, {"advisory": "RHSA-2014:0910", "cpe": "cpe:/a:redhat:jboss_operations_network:3.2.2", "product_name": "Red Hat JBoss Operations Network 3.2", "release_date": "2014-07-21T00:00:00Z"}, {"advisory": "RHSA-2015:1009", "cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:6.2", "package": "JSF", "product_name": "Red Hat JBoss Portal 6.2", "release_date": "2015-05-14T00:00:00Z"}, {"advisory": "RHSA-2014:0896", "cpe": "cpe:/a:redhat:jboss_enterprise_web_framework:2.6.0", "package": "JSF", "product_name": "Red Hat JBoss Web Framework Kit 2.6", "release_date": "2014-07-16T00:00:00Z"}], "bugzilla": {"description": "JSF: XSS due to insufficient escaping of user-supplied content in outputText tags and EL expressions", "id": "1065139", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065139"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "status": "verified"}, "cwe": "CWE-79", "details": ["Oracle Mojarra 2.2.x before 2.2.6 and 2.1.x before 2.1.28 does not perform appropriate encoding when a (1) <h:outputText> tag or (2) EL expression is used after a scriptor style block, which allows remote attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors.", "It was found that Mojarra JavaServer Faces did not properly escape user-supplied content in certain circumstances. Contents of outputText tags and raw EL expressions that immediately follow script or style elements were not escaped. A remote attacker could use a specially crafted URL to execute arbitrary web script in the user's browser."], "name": "CVE-2013-5855", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform", "fix_state": "Affected", "package_name": "JSF", "product_name": "Red Hat BPM Suite 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:5", "fix_state": "Will not fix", "package_name": "JSF", "product_name": "Red Hat JBoss BRMS 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:6", "fix_state": "Affected", "package_name": "JSF", "product_name": "Red Hat JBoss BRMS 6"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:6", "fix_state": "Not affected", "package_name": "JSF", "product_name": "Red Hat JBoss Data Grid 6"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Affected", "package_name": "JSF", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5", "fix_state": "Will not fix", "package_name": "JSF", "product_name": "Red Hat JBoss Enterprise Application Platform 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Affected", "package_name": "JSF", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Will not fix", "package_name": "eap-4", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Will not fix", "package_name": "JSF", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Affected", "package_name": "JSF", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_operations_network:3", "fix_state": "Affected", "package_name": "JSF", "product_name": "Red Hat JBoss Operations Network 3"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:5", "fix_state": "Will not fix", "package_name": "JSF", "product_name": "Red Hat JBoss Portal 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:4.3", "fix_state": "Will not fix", "package_name": "JSF", "product_name": "Red Hat JBoss SOA Platform 4.3"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5", "fix_state": "Will not fix", "package_name": "JSF", "product_name": "Red Hat JBoss SOA Platform 5"}, {"cpe": "cpe:/a:redhat:network_satellite:5.4", "fix_state": "Will not fix", "package_name": "JSF", "product_name": "Red Hat Satellite 5.4"}, {"cpe": "cpe:/a:redhat:network_satellite:5.5", "fix_state": "Will not fix", "package_name": "JSF", "product_name": "Red Hat Satellite 5.5"}, {"cpe": "cpe:/a:redhat:network_satellite:5.6", "fix_state": "Will not fix", "package_name": "JSF", "product_name": "Red Hat Satellite 5.6"}], "public_date": "2014-02-07T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2013-5855\nhttps://nvd.nist.gov/vuln/detail/CVE-2013-5855\nhttp://h30499.www3.hp.com/t5/HP-Security-Research-Blog/JSF-outputText-tag-the-good-the-bad-and-the-ugly/bc-p/6370209"], "threat_severity": "Moderate"}

{}