CVE-2013-5855

Impact:
Moderate
Public Date:
2014-02-07
CWE:
CWE-79
Bugzilla:
1065139: CVE-2013-5855 Mojarra JSF: XSS due to insufficient escaping of user-supplied content in outputText tags and EL expressions
It was found that Mojarra JavaServer Faces did not properly escape user-supplied content in certain circumstances. Contents of outputText tags and raw EL expressions that immediately follow script or style elements were not escaped. A remote attacker could use a specially crafted URL to execute arbitrary web script in the user's browser.

Find out more about CVE-2013-5855 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Red Hat JBoss BRMS 5:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

Red Hat JBoss EAP 5:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

Red Hat JBoss EAP 6:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

Red Hat JBoss EWS 1:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

Red Hat JBoss Enterprise SOA Platform 4.3:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

Red Hat JBoss Enterprise SOA Platform 5:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

Red Hat JBoss Portal 5:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

Red Hat Satellite 5.4:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

Red Hat Satellite 5.5:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

Red Hat Satellite 5.6:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

CVSS v2 metrics

Base Score 4.3
Base Metrics AV:N/AC:M/Au:N/C:N/I:P/A:N
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact None
Integrity Impact Partial
Availability Impact None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Portal 6.2 RHSA-2015:1009 2015-05-14
Red Hat JBoss BPMS 6.0 RHSA-2015:0234 2015-02-17
Red Hat JBoss Data Virtualization 6.0 RHSA-2015:0765 2015-03-31
Red Hat JBoss Operations Network 3.2 RHSA-2014:0910 2014-07-21
Red Hat JBoss Data Virtualization 6.1 RHSA-2015:0675 2015-03-11
Red Hat JBoss Fuse Service Works 6.0 RHSA-2015:0720 2015-03-24
Red Hat JBoss BRMS 6.0 RHSA-2015:0235 2015-02-17

Affected Packages State

Platform Package State
Red Hat Satellite 5.6 JSF Will not fix
Red Hat Satellite 5.5 JSF Will not fix
Red Hat Satellite 5.4 JSF Will not fix
Red Hat JBoss Portal 5 JSF Will not fix
Red Hat JBoss Enterprise SOA Platform 5 JSF Will not fix
Red Hat JBoss Enterprise SOA Platform 4.3 JSF Will not fix
Red Hat JBoss EWS 1 JSF Will not fix
Red Hat JBoss EAP 6 JSF Will not fix
Red Hat JBoss EAP 5 JSF Will not fix
Red Hat JBoss Data Grid 6 JSF Not affected
Red Hat JBoss BRMS 5 JSF Will not fix
Unless explicitly stated as not affected, all previous versions of packages in any minor update stream of a product listed here should be assumed vulnerable, although may not have been subject to full analysis.

External References

Last Modified