Oracle Mojarra 2.2.x before 2.2.6 and 2.1.x before 2.1.28 does not perform appropriate encoding when a (1) <h:outputText> tag or (2) EL expression is used after a scriptor style block, which allows remote attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors.

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Oracle
  • Mojarra
Redhat
  • Jboss Bpms
  • Jboss Brms
  • Jboss Data Virtualization
  • Jboss Enterprise Portal Platform
  • Jboss Enterprise Web Framework
  • Jboss Fuse Service Works
  • Jboss Operations Network

Configuration 1 [-]

OR cpe:2.3:a:oracle:mojarra:2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.7:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.8:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.9:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.11:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.12:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.13:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.14:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.15:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.16:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.17:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.18:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.19:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.20:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.21:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.22:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.23:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.24:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.25:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.26:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.1.27:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.2.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.2.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.2.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra:2.2.5:*:*:*:*:*:*:*
Package CPE Advisory Released Date
Red Hat JBoss BPMS 6.0
cpe:/a:redhat:jboss_bpms:6.0 RHSA-2015:0234 2015-02-17T00:00:00Z
Red Hat JBoss BRMS 6.0
cpe:/a:redhat:jboss_brms:6.0 RHSA-2015:0235 2015-02-17T00:00:00Z
Red Hat JBoss Data Virtualization 6.0
cpe:/a:redhat:jboss_data_virtualization:6.0 RHSA-2015:0765 2015-03-31T00:00:00Z
Red Hat JBoss Data Virtualization 6.1
cpe:/a:redhat:jboss_data_virtualization:6.1 RHSA-2015:0675 2015-03-11T00:00:00Z
Red Hat JBoss Fuse Service Works 6.0
cpe:/a:redhat:jboss_fuse_service_works:6.0 RHSA-2015:0720 2015-03-24T00:00:00Z
Red Hat JBoss Operations Network 3.2
cpe:/a:redhat:jboss_operations_network:3.2.2 RHSA-2014:0910 2014-07-21T00:00:00Z
Red Hat JBoss Portal 6.2
JSF cpe:/a:redhat:jboss_enterprise_portal_platform:6.2 RHSA-2015:1009 2015-05-14T00:00:00Z
Red Hat JBoss Web Framework Kit 2.6
JSF cpe:/a:redhat:jboss_enterprise_web_framework:2.6.0 RHSA-2014:0896 2014-07-16T00:00:00Z
References
Link Providers
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/JSF-outputText-tag-the-good-the-bad-and-the-ugly/ba-p/6368011#.U8ccVPlXZHU cve-icon cve-icon
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/JSF-outputText-tag-the-good-the-bad-and-the-ugly/bc-p/6370209 cve-icon
http://rhn.redhat.com/errata/RHSA-2015-0675.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2015-0720.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2015-0765.html cve-icon cve-icon
http://seclists.org/fulldisclosure/2014/Dec/23 cve-icon cve-icon
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html cve-icon cve-icon
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html cve-icon cve-icon
http://www.securityfocus.com/archive/1/534161/100/0/threaded cve-icon cve-icon
http://www.securityfocus.com/bid/65600 cve-icon cve-icon
http://www.vmware.com/security/advisories/VMSA-2014-0012.html cve-icon cve-icon
https://java.net/jira/browse/JAVASERVERFACES-3150 cve-icon cve-icon
https://java.net/jira/browse/JAVASERVERFACES_SPEC_PUBLIC-1258 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2013-5855 cve-icon
https://www.cve.org/CVERecord?id=CVE-2013-5855 cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2024-08-06T17:22:31.230Z

Reserved: 2013-09-18T00:00:00

Link: CVE-2013-5855

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2014-07-17T05:10:13.937

Modified: 2025-04-12T10:46:40.837

Link: CVE-2013-5855

cve-icon Redhat

Severity : Moderate

Publid Date: 2014-02-07T00:00:00Z

Links: CVE-2013-5855 - Bugzilla