Bug 1065139 (CVE-2013-5855) - CVE-2013-5855 Mojarra JSF: XSS due to insufficient escaping of user-supplied content in outputText tags and EL expressions
Summary: CVE-2013-5855 Mojarra JSF: XSS due to insufficient escaping of user-supplied ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-5855
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1087197 1087182 1087184 1087185 1087186 1087187 1087188 1087189 1087191 1087192 1087193 1087194 1160704 1166951 1166952 1166953 1166954
Blocks: 1065140 1082938 1093885 1097952 1181883 1182400 1182419 1200191
TreeView+ depends on / blocked
 
Reported: 2014-02-14 02:06 UTC by David Jorm
Modified: 2021-02-17 06:52 UTC (History)
36 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that Mojarra JavaServer Faces did not properly escape user-supplied content in certain circumstances. Contents of outputText tags and raw EL expressions that immediately follow script or style elements were not escaped. A remote attacker could use a specially crafted URL to execute arbitrary web script in the user's browser.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:31:36 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0896 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Framework Kit 2.6.0 update 2014-07-16 21:12:11 UTC
Red Hat Product Errata RHSA-2014:0910 0 normal SHIPPED_LIVE Important: Red Hat JBoss Operations Network 3.2.2 update 2014-07-21 22:35:10 UTC
Red Hat Product Errata RHSA-2015:0234 0 normal SHIPPED_LIVE Important: Red Hat JBoss BPM Suite 6.0.3 security update 2015-02-18 03:27:47 UTC
Red Hat Product Errata RHSA-2015:0235 0 normal SHIPPED_LIVE Important: Red Hat JBoss BRMS 6.0.3 security update 2015-02-18 03:27:36 UTC
Red Hat Product Errata RHSA-2015:0675 0 normal SHIPPED_LIVE Important: Red Hat JBoss Data Virtualization 6.1.0 update 2015-03-11 20:51:21 UTC
Red Hat Product Errata RHSA-2015:0720 0 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse Service Works 6.0.0 security update 2015-03-25 01:05:53 UTC
Red Hat Product Errata RHSA-2015:0765 0 normal SHIPPED_LIVE Important: Red Hat JBoss Data Virtualization 6.0.0 security update 2015-03-31 21:00:43 UTC
Red Hat Product Errata RHSA-2015:1009 0 normal SHIPPED_LIVE Important: Red Hat JBoss Portal 6.2.0 update 2015-05-14 19:14:47 UTC

Description David Jorm 2014-02-14 02:06:55 UTC 
It was found that Mojarra JSF would not properly escape user-supplied content in certain circumstances. The contents of outputText tags and raw EL expressions that immediately follow <script> or <style> elements were not escaped. If a remote attacker could trick a user into visiting a specially-crafted URL, it would lead to arbitrary web script execution in the user's browser.
Comment 1 David Jorm 2014-02-14 02:27:10 UTC 
Upstream bug:

https://java.net/jira/browse/JAVASERVERFACES-3150

Upstream patch commit:

https://java.net/projects/mojarra/sources/svn/revision/12793

External References:

http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/JSF-outputText-tag-the-good-the-bad-and-the-ugly/bc-p/6370209
Comment 5 Arun Babu Neelicattu 2014-04-14 06:20:21 UTC 
Created mojarra tracking bugs for this issue:

Affects: fedora-all [bug 1087182]
Comment 8 errata-xmlrpc 2014-07-16 17:12:40 UTC 
This issue has been addressed in following products:

  JBoss Web Framework Kit 2.6.0

Via RHSA-2014:0896 https://rhn.redhat.com/errata/RHSA-2014-0896.html
Comment 9 Martin Prpič 2014-07-17 14:16:36 UTC 
IssueDescription:

It was found that Mojarra JavaServer Faces did not properly escape user-supplied content in certain circumstances. Contents of outputText tags and raw EL expressions that immediately follow script or style elements were not escaped. A remote attacker could use a specially crafted URL to execute arbitrary web script in the user's browser.
Comment 10 errata-xmlrpc 2014-07-21 18:35:21 UTC 
This issue has been addressed in following products:

  JBoss Operations Network 3.2.2

Via RHSA-2014:0910 https://rhn.redhat.com/errata/RHSA-2014-0910.html
Comment 14 errata-xmlrpc 2015-02-17 22:27:56 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.0.3

Via RHSA-2015:0235 https://rhn.redhat.com/errata/RHSA-2015-0235.html
Comment 15 errata-xmlrpc 2015-02-17 22:31:44 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.0.3

Via RHSA-2015:0234 https://rhn.redhat.com/errata/RHSA-2015-0234.html
Comment 17 errata-xmlrpc 2015-03-11 16:52:11 UTC 
This issue has been addressed in the following products:

JBoss Data Virtualization 6.1.0

Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html
Comment 18 errata-xmlrpc 2015-03-24 21:06:15 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse Service Works 6.0.0

Via RHSA-2015:0720 https://rhn.redhat.com/errata/RHSA-2015-0720.html
Comment 19 errata-xmlrpc 2015-03-31 17:01:11 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization 6.0.0

Via RHSA-2015:0765 https://rhn.redhat.com/errata/RHSA-2015-0765.html
Comment 20 errata-xmlrpc 2015-05-14 15:16:06 UTC 
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html
Comment 21 gil cattaneo 2016-07-16 14:22:58 UTC 
hi
com.sun.faces:jsf-impl:2.5.6, org.glassfish.javax.faces:2.5.6
does not exist, Mojarra/GlassFish JSF latest stable version is 2.3.0-M06
or do you mean another "crap" of fork ...?

take a tour in
https://svn.java.net/svn/mojarra~svn/tags/
or
https://github.com/javaserverfaces/mojarra/tags/
regards
Comment 22 gil cattaneo 2016-09-29 19:27:19 UTC 
for solve this bug is enough 2.1.28 release
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5855
Note You need to log in before you can comment on or make changes to this bug.