|Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')|
|Vulnerability||Severity Score||Release Date||Summary|
|CVE-2010-2057||5.0||Oct. 20, 2010||
shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1 uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack.
|CVE-2010-2086||4.0||May 27, 2010||
Apache MyFaces 1.1.7 and 1.2.8, as used in IBM WebSphere Application Server and other applications, does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object.