Moderate severityNVD Advisory· Published May 27, 2010· Updated Apr 29, 2026

CVE-2010-2086

Description

Apache MyFaces 1.1.7 and 1.2.8, as used in IBM WebSphere Application Server and other applications, does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.myfaces.core:myfaces-core-moduleMaven	<= 1.1.7	—
org.apache.myfaces.core:myfaces-core-moduleMaven	>= 1.2.0, <= 1.2.8	—

Affected products

Apache/Myfaces2 versions
cpe:2.3:a:apache:myfaces:1.1.7:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:apache:myfaces:1.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:myfaces:1.2.8:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.002
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000