Vulnerability Details CVE-2019-17091
faces/context/PartialViewContextImpl.java in Eclipse Mojarra, as used in Mojarra for Eclipse EE4J before 2.3.10 and Mojarra JavaServer Faces before 2.2.20, allows Reflected XSS because a client window field is mishandled.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.066
EPSS Ranking 90.7%
CVSS Severity
CVSS v3 Score 6.1
CVSS v2 Score 4.3
References
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=548244
- https://github.com/eclipse-ee4j/mojarra/commit/8f70f2bd024f00ecd5b3dcca45df73edda29dcee
- https://github.com/eclipse-ee4j/mojarra/commit/a3fa9573789ed5e867c43ea38374f4dbd5a8f81f
- https://github.com/eclipse-ee4j/mojarra/compare/2.3.9-RELEASE...2.3.10-RELEASE
- https://github.com/eclipse-ee4j/mojarra/files/3039198/advisory.txt
- https://github.com/eclipse-ee4j/mojarra/issues/4556
- https://github.com/eclipse-ee4j/mojarra/pull/4567
- https://github.com/javaserverfaces/mojarra/commit/ae1c234d0a6750822ac69d4ae26d90e3571f27fe
- https://github.com/javaserverfaces/mojarra/commit/f61935cd39f34329fbf27b1972a506fbdd0ab4d4
- https://github.com/javaserverfaces/mojarra/compare/2.2.19...2.2.20
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=548244
- https://github.com/eclipse-ee4j/mojarra/commit/8f70f2bd024f00ecd5b3dcca45df73edda29dcee
- https://github.com/eclipse-ee4j/mojarra/commit/a3fa9573789ed5e867c43ea38374f4dbd5a8f81f
- https://github.com/eclipse-ee4j/mojarra/compare/2.3.9-RELEASE...2.3.10-RELEASE
- https://github.com/eclipse-ee4j/mojarra/files/3039198/advisory.txt
- https://github.com/eclipse-ee4j/mojarra/issues/4556
- https://github.com/eclipse-ee4j/mojarra/pull/4567
- https://github.com/javaserverfaces/mojarra/commit/ae1c234d0a6750822ac69d4ae26d90e3571f27fe
- https://github.com/javaserverfaces/mojarra/commit/f61935cd39f34329fbf27b1972a506fbdd0ab4d4
- https://github.com/javaserverfaces/mojarra/compare/2.2.19...2.2.20
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Products affected by CVE-2019-17091
-
cpe:2.3:a:eclipse:mojarra:2.3.0
-
cpe:2.3:a:eclipse:mojarra:2.3.1
-
cpe:2.3:a:eclipse:mojarra:2.3.2
-
cpe:2.3:a:eclipse:mojarra:2.3.3
-
cpe:2.3:a:eclipse:mojarra:2.3.3.99
-
cpe:2.3:a:eclipse:mojarra:2.3.4
-
cpe:2.3:a:eclipse:mojarra:2.3.5
-
cpe:2.3:a:eclipse:mojarra:2.3.6
-
cpe:2.3:a:eclipse:mojarra:2.3.7
-
cpe:2.3:a:eclipse:mojarra:2.3.8
-
cpe:2.3:a:eclipse:mojarra:2.3.9
-
cpe:2.3:a:oracle:application_testing_suite:13.2.0.1
-
cpe:2.3:a:oracle:application_testing_suite:13.3.0.1
-
cpe:2.3:a:oracle:banking_enterprise_product_manufacturing:2.7.0
-
cpe:2.3:a:oracle:banking_enterprise_product_manufacturing:2.8.0
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0.0
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.2
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.3
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.3.0.0
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.4
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.4.0.0
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.4.0.5
-
cpe:2.3:a:oracle:communications_network_integrity:7.3.5
-
cpe:2.3:a:oracle:communications_network_integrity:7.3.6
-
cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.0
-
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0
-
cpe:2.3:a:oracle:enterprise_data_quality:12.2.1.3.0
-
cpe:2.3:a:oracle:health_sciences_information_manager:3.0
-
cpe:2.3:a:oracle:healthcare_data_repository:7.0
-
cpe:2.3:a:oracle:mojarra_javaserver_faces:2.2.0
-
cpe:2.3:a:oracle:mojarra_javaserver_faces:2.2.1
-
cpe:2.3:a:oracle:mojarra_javaserver_faces:2.2.10
-
cpe:2.3:a:oracle:mojarra_javaserver_faces:2.2.11
-
cpe:2.3:a:oracle:mojarra_javaserver_faces:2.2.12
-
cpe:2.3:a:oracle:mojarra_javaserver_faces:2.2.13
-
cpe:2.3:a:oracle:mojarra_javaserver_faces:2.2.14
-
cpe:2.3:a:oracle:mojarra_javaserver_faces:2.2.15
-
cpe:2.3:a:oracle:mojarra_javaserver_faces:2.2.16
-
cpe:2.3:a:oracle:mojarra_javaserver_faces:2.2.17
-
cpe:2.3:a:oracle:mojarra_javaserver_faces:2.2.18
-
cpe:2.3:a:oracle:mojarra_javaserver_faces:2.2.19
-
cpe:2.3:a:oracle:mojarra_javaserver_faces:2.2.2
-
cpe:2.3:a:oracle:mojarra_javaserver_faces:2.2.3
-
cpe:2.3:a:oracle:mojarra_javaserver_faces:2.2.4
-
cpe:2.3:a:oracle:mojarra_javaserver_faces:2.2.5
-
cpe:2.3:a:oracle:mojarra_javaserver_faces:2.2.6
-
cpe:2.3:a:oracle:mojarra_javaserver_faces:2.2.7
-
cpe:2.3:a:oracle:mojarra_javaserver_faces:2.2.8
-
cpe:2.3:a:oracle:mojarra_javaserver_faces:2.2.9
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1.0.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2.18
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2.18.7
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.1.0.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2.0.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2.18
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2.19.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.1.0.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.10
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.11
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12.0.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12.1
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12.12
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12.14
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12.15.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12.4
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.2
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.2.16.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.3
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.4
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.5
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.6
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.7
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.8
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.9
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.1.0.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8.0.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8.11
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8.15.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:19.12.0.0
-
cpe:2.3:a:oracle:rapid_planning:12.1
-
cpe:2.3:a:oracle:rapid_planning:12.2
-
cpe:2.3:a:oracle:retail_advanced_inventory_planning:15.0
-
cpe:2.3:a:oracle:retail_advanced_inventory_planning:16.0
-
cpe:2.3:a:oracle:retail_assortment_planning:16.0.3
-
cpe:2.3:a:oracle:retail_bulk_data_integration:16.0.3.0
-
cpe:2.3:a:oracle:retail_financial_integration:15.0
-
cpe:2.3:a:oracle:retail_financial_integration:16.0
-
cpe:2.3:a:oracle:retail_integration_bus:15.0
-
cpe:2.3:a:oracle:retail_integration_bus:16.0
-
cpe:2.3:a:oracle:retail_invoice_matching:16.0
-
cpe:2.3:a:oracle:retail_merchandising_system:16.0
-
cpe:2.3:a:oracle:retail_service_backbone:15.0
-
cpe:2.3:a:oracle:retail_service_backbone:16.0
-
cpe:2.3:a:oracle:retail_store_inventory_management:14.0.4
-
cpe:2.3:a:oracle:retail_store_inventory_management:14.1.3
-
cpe:2.3:a:oracle:retail_store_inventory_management:15.0.3
-
cpe:2.3:a:oracle:retail_store_inventory_management:16.0.3
-
cpe:2.3:a:oracle:secure_global_desktop:5.4
-
cpe:2.3:a:oracle:secure_global_desktop:5.5
-
cpe:2.3:a:oracle:time_and_labor:12.2.11
-
cpe:2.3:a:oracle:time_and_labor:12.2.6