It was found that Mojarra JSF would not properly escape user-supplied content in certain circumstances. The contents of outputText tags and raw EL expressions that immediately follow <script> or <style> elements were not escaped. If a remote attacker could trick a user into visiting a specially-crafted URL, it would lead to arbitrary web script execution in the user's browser.
Upstream bug: https://java.net/jira/browse/JAVASERVERFACES-3150 Upstream patch commit: https://java.net/projects/mojarra/sources/svn/revision/12793 External References: http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/JSF-outputText-tag-the-good-the-bad-and-the-ugly/bc-p/6370209
Created mojarra tracking bugs for this issue: Affects: fedora-all [bug 1087182]
This issue has been addressed in following products: JBoss Web Framework Kit 2.6.0 Via RHSA-2014:0896 https://rhn.redhat.com/errata/RHSA-2014-0896.html
IssueDescription: It was found that Mojarra JavaServer Faces did not properly escape user-supplied content in certain circumstances. Contents of outputText tags and raw EL expressions that immediately follow script or style elements were not escaped. A remote attacker could use a specially crafted URL to execute arbitrary web script in the user's browser.
This issue has been addressed in following products: JBoss Operations Network 3.2.2 Via RHSA-2014:0910 https://rhn.redhat.com/errata/RHSA-2014-0910.html
This issue has been addressed in the following products: Red Hat JBoss BRMS 6.0.3 Via RHSA-2015:0235 https://rhn.redhat.com/errata/RHSA-2015-0235.html
This issue has been addressed in the following products: Red Hat JBoss BPM Suite 6.0.3 Via RHSA-2015:0234 https://rhn.redhat.com/errata/RHSA-2015-0234.html
This issue has been addressed in the following products: JBoss Data Virtualization 6.1.0 Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html
This issue has been addressed in the following products: Red Hat JBoss Fuse Service Works 6.0.0 Via RHSA-2015:0720 https://rhn.redhat.com/errata/RHSA-2015-0720.html
This issue has been addressed in the following products: Red Hat JBoss Data Virtualization 6.0.0 Via RHSA-2015:0765 https://rhn.redhat.com/errata/RHSA-2015-0765.html
This issue has been addressed in the following products: JBoss Portal 6.2.0 Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html
hi com.sun.faces:jsf-impl:2.5.6, org.glassfish.javax.faces:2.5.6 does not exist, Mojarra/GlassFish JSF latest stable version is 2.3.0-M06 or do you mean another "crap" of fork ...? take a tour in https://svn.java.net/svn/mojarra~svn/tags/ or https://github.com/javaserverfaces/mojarra/tags/ regards
for solve this bug is enough 2.1.28 release https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5855