CVE-2010-2087

Description

Oracle Mojarra 1.2_14 and 2.0.2, as used in IBM WebSphere Application Server, Caucho Resin, and other applications, does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object.

How to fix CVE-2010-2087

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

• Debian/mojarra—no fix listed

Is CVE-2010-2087 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2010-2087