Description

jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Enterprise SOA Platform 4.3.0.CP04 and 5.1.0 and JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3.0.CP09 and 5.1.0, does not properly restrict use of Expression Language (EL) statements in FacesMessages during page exception handling, which allows remote attackers to execute arbitrary Java code via a crafted URL to an application.

Remediation

References

CVE-2011-1484

Related Vulnerabilities

TCExam Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-5748)

MySQL CVE-2015-0503 Vulnerability (CVE-2015-0503)

CubeCart Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2009-4060)

Lodash CVE-2018-16487 Vulnerability (CVE-2018-16487)

OpenSSL Cryptographic Issues Vulnerability (CVE-2014-3566)

Severity

Medium

Classification

CVE-2011-1484 CWE-264

Tags

Missing Update Known Vulnerabilities