CVE-2019-17091

Exploit

EPSS 8.42%
Published 02.10.2019 14:15:12
Last modified 21.11.2024 04:31:40
Source cve@mitre.org
Teams watchlist Login
Open Login

faces/context/PartialViewContextImpl.java in Eclipse Mojarra, as used in Mojarra for Eclipse EE4J before 2.3.10 and Mojarra JavaServer Faces before 2.2.20, allows Reflected XSS because a client window field is mishandled.

Affected products Warnungen 0 Metrics 3 CWE 1 References 20

Data is provided by the National Vulnerability Database (NVD)

Eclipse ≫ Mojarra Version >= 2.3.0 < 2.3.10

Oracle ≫ Mojarra Javaserver Faces Version >= 2.2.0 < 2.2.20

Oracle ≫ Application Testing Suite Version13.2.0.1

Oracle ≫ Application Testing Suite Version13.3.0.1

Oracle ≫ Banking Enterprise Product Manufacturing Version2.7.0

Oracle ≫ Banking Enterprise Product Manufacturing Version2.8.0

Oracle ≫ Communications Diameter Signaling Router Version >= 8.0.0.0 <= 8.4.0.5

Oracle ≫ Communications Network Integrity Version7.3.5

Oracle ≫ Communications Network Integrity Version7.3.6

Oracle ≫ Communications Unified Inventory Management Version7.3.0

Oracle ≫ Communications Unified Inventory Management Version7.4.0

Oracle ≫ Enterprise Data Quality Version12.2.1.3.0

Oracle ≫ Health Sciences Information Manager Version3.0

Oracle ≫ Healthcare Data Repository Version7.0

Oracle ≫ Primavera P6 Enterprise Project Portfolio Management Version >= 15.1.0.0 <= 15.2.18.7

Oracle ≫ Primavera P6 Enterprise Project Portfolio Management Version >= 16.1.0.0 <= 16.2.19.0

Oracle ≫ Primavera P6 Enterprise Project Portfolio Management Version >= 17.1.0.0 <= 17.12.15.0

Oracle ≫ Primavera P6 Enterprise Project Portfolio Management Version >= 18.1.0.0 <= 18.8.15.0

Oracle ≫ Primavera P6 Enterprise Project Portfolio Management Version19.12.0.0

Oracle ≫ Rapid Planning Version12.1

Oracle ≫ Rapid Planning Version12.2

Oracle ≫ Retail Advanced Inventory Planning Version15.0

Oracle ≫ Retail Advanced Inventory Planning Version16.0

Oracle ≫ Retail Assortment Planning Version16.0.3

Oracle ≫ Retail Bulk Data Integration Version16.0.3.0

Oracle ≫ Retail Financial Integration Version15.0

Oracle ≫ Retail Financial Integration Version16.0

Oracle ≫ Retail Integration Bus Version15.0

Oracle ≫ Retail Integration Bus Version16.0

Oracle ≫ Retail Invoice Matching Version16.0

Oracle ≫ Retail Merchandising System Version16.0

Oracle ≫ Retail Service Backbone Version15.0

Oracle ≫ Retail Service Backbone Version16.0

Oracle ≫ Retail Store Inventory Management Version14.0.4

Oracle ≫ Retail Store Inventory Management Version14.1.3

Oracle ≫ Retail Store Inventory Management Version15.0.3

Oracle ≫ Retail Store Inventory Management Version16.0.3

Oracle ≫ Secure Global Desktop Version5.4

Oracle ≫ Secure Global Desktop Version5.5

Oracle ≫ Time And Labor Version >= 12.2.6 <= 12.2.11

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	8.42%	0.919

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://www.oracle.com/security-alerts/cpujan2020.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2021.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2020.html

Patch

Third Party Advisory