Oracle Mojarra 2.2.x before 2.2.6 and 2.1.x before 2.1.28 does not perform appropriate encoding when a (1) <h:outputText> tag or (2) EL expression is used after a scriptor style block, which allows remote attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors.

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Oracle
  • Mojarra
Redhat
  • Jboss Bpms
  • Jboss Brms
  • Jboss Data Virtualization
  • Jboss Enterprise Portal Platform
  • Jboss Enterprise Web Framework
  • Jboss Fuse Service Works
  • Jboss Operations Network

Configuration 1 [-]

OR cpe:2.3:a:oracle:mojarra:2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.7:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.8:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.9:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.11:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.12:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.13:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.14:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.15:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.16:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.17:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.18:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.19:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.20:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.21:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.22:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.23:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.24:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.25:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.26:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.27:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.2.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.2.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.2.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.2.5:*:*:*:*:*:*:*
Package CPE Advisory Released Date
Red Hat JBoss BPMS 6.0
cpe:/a:redhat:jboss_bpms:6.0 RHSA-2015:0234 2015-02-17T00:00:00Z
Red Hat JBoss BRMS 6.0
cpe:/a:redhat:jboss_brms:6.0 RHSA-2015:0235 2015-02-17T00:00:00Z
Red Hat JBoss Data Virtualization 6.0
cpe:/a:redhat:jboss_data_virtualization:6.0 RHSA-2015:0765 2015-03-31T00:00:00Z
Red Hat JBoss Data Virtualization 6.1
cpe:/a:redhat:jboss_data_virtualization:6.1 RHSA-2015:0675 2015-03-11T00:00:00Z
Red Hat JBoss Fuse Service Works 6.0
cpe:/a:redhat:jboss_fuse_service_works:6.0 RHSA-2015:0720 2015-03-24T00:00:00Z
Red Hat JBoss Operations Network 3.2
cpe:/a:redhat:jboss_operations_network:3.2.2 RHSA-2014:0910 2014-07-21T00:00:00Z
Red Hat JBoss Portal 6.2
JSF cpe:/a:redhat:jboss_enterprise_portal_platform:6.2 RHSA-2015:1009 2015-05-14T00:00:00Z
Red Hat JBoss Web Framework Kit 2.6
JSF cpe:/a:redhat:jboss_enterprise_web_framework:2.6.0 RHSA-2014:0896 2014-07-16T00:00:00Z
References
Link Providers
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/JSF-outputText-tag-the-good-the-bad-and-the-ugly/ba-p/6368011#.U8ccVPlXZHU cve-icon cve-icon
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/JSF-outputText-tag-the-good-the-bad-and-the-ugly/bc-p/6370209 cve-icon
http://rhn.redhat.com/errata/RHSA-2015-0675.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2015-0720.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2015-0765.html cve-icon cve-icon
http://seclists.org/fulldisclosure/2014/Dec/23 cve-icon cve-icon
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html cve-icon cve-icon
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html cve-icon cve-icon
http://www.securityfocus.com/archive/1/534161/100/0/threaded cve-icon cve-icon
http://www.securityfocus.com/bid/65600 cve-icon cve-icon
http://www.vmware.com/security/advisories/VMSA-2014-0012.html cve-icon cve-icon
https://java.net/jira/browse/JAVASERVERFACES-3150 cve-icon cve-icon
https://java.net/jira/browse/JAVASERVERFACES_SPEC_PUBLIC-1258 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2013-5855 cve-icon
https://www.cve.org/CVERecord?id=CVE-2013-5855 cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2014-07-17T02:36:00

Updated: 2024-08-06T17:22:31.230Z

Reserved: 2013-09-18T00:00:00

Link: CVE-2013-5855

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2014-07-17T05:10:13.937

Modified: 2025-04-12T10:46:40.837

Link: CVE-2013-5855

cve-icon Redhat

Severity : Moderate

Publid Date: 2014-02-07T00:00:00Z

Links: CVE-2013-5855 - Bugzilla