CVE-2019-17091

Summary

CVE	CVE-2019-17091
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2019-10-02 14:15:00 UTC
Updated	2022-04-06 18:00:00 UTC
Description	faces/context/PartialViewContextImpl.java in Eclipse Mojarra, as used in Mojarra for Eclipse EE4J before 2.3.10 and Mojarra JavaServer Faces before 2.2.20, allows Reflected XSS because a client window field is mishandled.

Risk And Classification

Problem Types: CWE-79

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Eclipse	Mojarra	All	All	All	All
Application	Eclipse	Mojarra	All	All	All	All
Application	Oracle	Application Testing Suite	13.2.0.1	All	All	All
Application	Oracle	Application Testing Suite	13.3.0.1	All	All	All
Application	Oracle	Banking Enterprise Product Manufacturing	2.7.0	All	All	All
Application	Oracle	Banking Enterprise Product Manufacturing	2.8.0	All	All	All
Application	Oracle	Communications Diameter Signaling Router	All	All	All	All
Application	Oracle	Communications Network Integrity	7.3.5	All	All	All
Application	Oracle	Communications Network Integrity	7.3.6	All	All	All
Application	Oracle	Communications Unified Inventory Management	7.3.0	All	All	All
Application	Oracle	Communications Unified Inventory Management	7.4.0	All	All	All
Application	Oracle	Enterprise Data Quality	12.2.1.3.0	All	All	All
Application	Oracle	Healthcare Data Repository	7.0	All	All	All
Application	Oracle	Health Sciences Information Manager	3.0	All	All	All
Application	Oracle	Mojarra Javaserver Faces	All	All	All	All
Application	Oracle	Mojarra Javaserver Faces	All	All	All	All
Application	Oracle	Primavera P6 Enterprise Project Portfolio Management	19.12.0.0	All	All	All
Application	Oracle	Primavera P6 Enterprise Project Portfolio Management	All	All	All	All
Application	Oracle	Primavera P6 Enterprise Project Portfolio Management	All	All	All	All
Application	Oracle	Primavera P6 Enterprise Project Portfolio Management	All	All	All	All
Application	Oracle	Primavera P6 Enterprise Project Portfolio Management	All	All	All	All
Application	Oracle	Rapid Planning	12.1	All	All	All
Application	Oracle	Rapid Planning	12.2	All	All	All
Application	Oracle	Retail Advanced Inventory Planning	15.0	All	All	All
Application	Oracle	Retail Advanced Inventory Planning	16.0	All	All	All
Application	Oracle	Retail Assortment Planning	16.0.3	All	All	All
Application	Oracle	Retail Bulk Data Integration	16.0.3.0	All	All	All
Application	Oracle	Retail Financial Integration	15.0	All	All	All
Application	Oracle	Retail Financial Integration	16.0	All	All	All
Application	Oracle	Retail Integration Bus	15.0	All	All	All
Application	Oracle	Retail Integration Bus	16.0	All	All	All
Application	Oracle	Retail Invoice Matching	16.0	All	All	All
Application	Oracle	Retail Merchandising System	16.0	All	All	All
Application	Oracle	Retail Service Backbone	15.0	All	All	All
Application	Oracle	Retail Service Backbone	16.0	All	All	All
Application	Oracle	Retail Store Inventory Management	14.0.4	All	All	All
Application	Oracle	Retail Store Inventory Management	14.1.3	All	All	All
Application	Oracle	Retail Store Inventory Management	15.0.3	All	All	All
Application	Oracle	Retail Store Inventory Management	16.0.3	All	All	All
Application	Oracle	Secure Global Desktop	5.4	All	All	All
Application	Oracle	Secure Global Desktop	5.5	All	All	All
Application	Oracle	Time And Labor	All	All	All	All

References

Reference	Source	Link	Tags
548244 – Vulnerability within Oracle Mojarra JSF v2.2 and v2.3	MISC	bugs.eclipse.org	Exploit, Issue Tracking, Patch, Vendor Advisory
HIGH-LEVEL VULNERABILITY WITHIN MOJARRA JSF V2.2 · Issue #4556 · eclipse-ee4j/mojarra · GitHub	MISC	github.com	Third Party Advisory
Merge pull request #4567 from ruolli/Issue_4556 · eclipse-ee4j/mojarra@8f70f2b · GitHub	MISC	github.com	Patch, Third Party Advisory
github.com/eclipse-ee4j/mojarra/files/3039198/advisory.txt	MISC	github.com	Exploit, Third Party Advisory
Fixes #4556 : HIGH-LEVEL VULNERABILITY WITHIN MOJARRA JSF V2.2 · eclipse-ee4j/mojarra@a3fa957 · GitHub	MISC	github.com	Patch, Third Party Advisory
Oracle Critical Patch Update Advisory - July 2020	MISC	www.oracle.com
Comparing 2.3.9-RELEASE...2.3.10-RELEASE · eclipse-ee4j/mojarra · GitHub	MISC	github.com	Release Notes, Third Party Advisory
Oracle Critical Patch Update Advisory - October 2020	MISC	www.oracle.com
Bug 29700737 - XSS VULNERABILITY IN MOJARRA CLIENTWINDOW URL PARAMETER · javaserverfaces/mojarra@ae1c234 · GitHub	MISC	github.com	Patch, Third Party Advisory
Oracle Critical Patch Update Advisory - January 2022	MISC	www.oracle.com
Fixes #4556 : HIGH-LEVEL VULNERABILITY WITHIN MOJARRA JSF V2.2 by ruolli · Pull Request #4567 · eclipse-ee4j/mojarra · GitHub	MISC	github.com	Patch, Third Party Advisory
Bug 29700737 - XSS VULNERABILITY IN MOJARRA CLIENTWINDOW URL PARAMETER · javaserverfaces/mojarra@f61935c · GitHub	MISC	github.com	Patch, Third Party Advisory
Oracle Critical Patch Update - October 2019	MISC	www.oracle.com	Third Party Advisory
Oracle Critical Patch Update Advisory - January 2020	MISC	www.oracle.com
Oracle Critical Patch Update Advisory - April 2020	N/A	www.oracle.com
Oracle Critical Patch Update Advisory - January 2021	MISC	www.oracle.com
Comparing 2.2.19...2.2.20 · javaserverfaces/mojarra · GitHub	MISC	github.com	Patch, Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.