faces/context/PartialViewContextImpl.java in Eclipse Mojarra, as used in Mojarra for Eclipse EE4J before 2.3.10 and Mojarra JavaServer Faces before 2.2.20, allows Reflected XSS because a client window field is mishandled.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.07188.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
n/a n/a affected
Version Status Constraints
n/a affected

Configuration 1 [-]

OR cpe:2.3:a:eclipse:mojarra:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mojarra_javaserver_faces:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_enterprise_product_manufacturing:2.7.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_enterprise_product_manufacturing:2.8.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_network_integrity:7.3.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_data_quality:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:health_sciences_information_manager:3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:healthcare_data_repository:7.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:19.12.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:rapid_planning:12.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:rapid_planning:12.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_advanced_inventory_planning:15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_advanced_inventory_planning:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_assortment_planning:16.0.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_bulk_data_integration:16.0.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_financial_integration:15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_financial_integration:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_integration_bus:15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_integration_bus:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_invoice_matching:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_merchandising_system:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_service_backbone:15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_service_backbone:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_store_inventory_management:14.0.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_store_inventory_management:14.1.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_store_inventory_management:15.0.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_store_inventory_management:16.0.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:secure_global_desktop:5.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:secure_global_desktop:5.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:time_and_labor:*:*:*:*:*:*:*:*

No data.

No data.

Project Subscriptions

Vendors Products
Eclipse Subscribe
Mojarra Subscribe
Oracle Subscribe
Application Testing Suite Subscribe
Banking Enterprise Product Manufacturing Subscribe
Communications Diameter Signaling Router Subscribe
Communications Network Integrity Subscribe
Communications Unified Inventory Management Subscribe
Enterprise Data Quality Subscribe
Health Sciences Information Manager Subscribe
Healthcare Data Repository Subscribe
Mojarra Javaserver Faces Subscribe
Primavera P6 Enterprise Project Portfolio Management Subscribe
Rapid Planning Subscribe
Retail Advanced Inventory Planning Subscribe
Retail Assortment Planning Subscribe
Retail Bulk Data Integration Subscribe
Retail Financial Integration Subscribe
Retail Integration Bus Subscribe
Retail Invoice Matching Subscribe
Retail Merchandising System Subscribe
Retail Service Backbone Subscribe
Retail Store Inventory Management Subscribe
Secure Global Desktop Subscribe
Time And Labor Subscribe
Advisories
Source ID Title
EUVD EUVD EUVD-2022-5190 faces/context/PartialViewContextImpl.java in Eclipse Mojarra, as used in Mojarra for Eclipse EE4J before 2.3.10 and Mojarra JavaServer Faces before 2.2.20, allows Reflected XSS because a client window field is mishandled.
Github GHSA Github GHSA GHSA-rjhx-c9qh-qh8f Cross-site Scripting in Eclipse Mojarra
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://bugs.eclipse.org/bugs/show_bug.cgi?id=548244 cve-icon cve-icon
https://github.com/eclipse-ee4j/mojarra/commit/8f70f2bd024f00ecd5b3dcca45df73edda29dcee cve-icon cve-icon
https://github.com/eclipse-ee4j/mojarra/commit/a3fa9573789ed5e867c43ea38374f4dbd5a8f81f cve-icon cve-icon
https://github.com/eclipse-ee4j/mojarra/compare/2.3.9-RELEASE...2.3.10-RELEASE cve-icon cve-icon
https://github.com/eclipse-ee4j/mojarra/files/3039198/advisory.txt cve-icon cve-icon
https://github.com/eclipse-ee4j/mojarra/issues/4556 cve-icon cve-icon
https://github.com/eclipse-ee4j/mojarra/pull/4567 cve-icon cve-icon
https://github.com/javaserverfaces/mojarra/commit/ae1c234d0a6750822ac69d4ae26d90e3571f27fe cve-icon cve-icon
https://github.com/javaserverfaces/mojarra/commit/f61935cd39f34329fbf27b1972a506fbdd0ab4d4 cve-icon cve-icon
https://github.com/javaserverfaces/mojarra/compare/2.2.19...2.2.20 cve-icon cve-icon
https://www.oracle.com/security-alerts/cpuapr2020.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpujan2020.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpujan2021.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpujan2022.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpujul2020.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpuoct2020.html cve-icon cve-icon
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html cve-icon cve-icon
History

No history.

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2024-08-05T01:33:16.741Z

Reserved: 2019-10-02T00:00:00.000Z

Link: CVE-2019-17091

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2019-10-02T14:15:12.600

Modified: 2024-11-21T04:31:40.197

Link: CVE-2019-17091

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses