Bug 1065139 (CVE-2013-5855)

Summary: CVE-2013-5855 Mojarra JSF: XSS due to insufficient escaping of user-supplied content in outputText tags and EL expressions
Product: [Other] Security Response Reporter: David Jorm <djorm>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdawidow, brms-jira, cdewolf, chazlett, cperry, darran.lofthouse, epp-bugs, fjuma, fnasser, grocha, huwang, jawilson, jbpapp-maint, jcoleman, jdg-bugs, jpallich, juan.hernandez, kejohnso, lgao, mgoldman, mjc, myarboro, pcheung, pgier, pslavice, puntogil, rhq-maint, rsvoboda, soa-p-jira, spinder, ssilvert, theute, tkirby, ttarrant, vtunka, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was found that Mojarra JavaServer Faces did not properly escape user-supplied content in certain circumstances. Contents of outputText tags and raw EL expressions that immediately follow script or style elements were not escaped. A remote attacker could use a specially crafted URL to execute arbitrary web script in the user's browser.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:31:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1087197, 1087182, 1087184, 1087185, 1087186, 1087187, 1087188, 1087189, 1087191, 1087192, 1087193, 1087194, 1160704, 1166951, 1166952, 1166953, 1166954    
Bug Blocks: 1065140, 1082938, 1093885, 1097952, 1181883, 1182400, 1182419, 1200191    

Description David Jorm 2014-02-14 02:06:55 UTC 
It was found that Mojarra JSF would not properly escape user-supplied content in certain circumstances. The contents of outputText tags and raw EL expressions that immediately follow <script> or <style> elements were not escaped. If a remote attacker could trick a user into visiting a specially-crafted URL, it would lead to arbitrary web script execution in the user's browser.
Comment 1 David Jorm 2014-02-14 02:27:10 UTC 
Upstream bug:

https://java.net/jira/browse/JAVASERVERFACES-3150

Upstream patch commit:

https://java.net/projects/mojarra/sources/svn/revision/12793

External References:

http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/JSF-outputText-tag-the-good-the-bad-and-the-ugly/bc-p/6370209
Comment 5 Arun Babu Neelicattu 2014-04-14 06:20:21 UTC 
Created mojarra tracking bugs for this issue:

Affects: fedora-all [bug 1087182]
Comment 8 errata-xmlrpc 2014-07-16 17:12:40 UTC 
This issue has been addressed in following products:

  JBoss Web Framework Kit 2.6.0

Via RHSA-2014:0896 https://rhn.redhat.com/errata/RHSA-2014-0896.html
Comment 9 Martin Prpič 2014-07-17 14:16:36 UTC 
IssueDescription:

It was found that Mojarra JavaServer Faces did not properly escape user-supplied content in certain circumstances. Contents of outputText tags and raw EL expressions that immediately follow script or style elements were not escaped. A remote attacker could use a specially crafted URL to execute arbitrary web script in the user's browser.
Comment 10 errata-xmlrpc 2014-07-21 18:35:21 UTC 
This issue has been addressed in following products:

  JBoss Operations Network 3.2.2

Via RHSA-2014:0910 https://rhn.redhat.com/errata/RHSA-2014-0910.html
Comment 14 errata-xmlrpc 2015-02-17 22:27:56 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.0.3

Via RHSA-2015:0235 https://rhn.redhat.com/errata/RHSA-2015-0235.html
Comment 15 errata-xmlrpc 2015-02-17 22:31:44 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.0.3

Via RHSA-2015:0234 https://rhn.redhat.com/errata/RHSA-2015-0234.html
Comment 17 errata-xmlrpc 2015-03-11 16:52:11 UTC 
This issue has been addressed in the following products:

JBoss Data Virtualization 6.1.0

Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html
Comment 18 errata-xmlrpc 2015-03-24 21:06:15 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse Service Works 6.0.0

Via RHSA-2015:0720 https://rhn.redhat.com/errata/RHSA-2015-0720.html
Comment 19 errata-xmlrpc 2015-03-31 17:01:11 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization 6.0.0

Via RHSA-2015:0765 https://rhn.redhat.com/errata/RHSA-2015-0765.html
Comment 20 errata-xmlrpc 2015-05-14 15:16:06 UTC 
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html
Comment 21 gil cattaneo 2016-07-16 14:22:58 UTC 
hi
com.sun.faces:jsf-impl:2.5.6, org.glassfish.javax.faces:2.5.6
does not exist, Mojarra/GlassFish JSF latest stable version is 2.3.0-M06
or do you mean another "crap" of fork ...?

take a tour in
https://svn.java.net/svn/mojarra~svn/tags/
or
https://github.com/javaserverfaces/mojarra/tags/
regards
Comment 22 gil cattaneo 2016-09-29 19:27:19 UTC 
for solve this bug is enough 2.1.28 release
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5855