CVE-2010-2087

NameCVE-2010-2087
DescriptionOracle Mojarra 1.2_14 and 2.0.2, as used in IBM WebSphere Application Server, Caucho Resin, and other applications, does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs611130

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mojarra (PTS)stretch2.2.8-3vulnerable
bookworm, sid, buster, bullseye2.2.8-6vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mojarrasource(unstable)(unfixed)unimportant611130

Notes

Affected feature is fundamentally insecure
Search for package or bug name: Reporting problems