Moderate severityNVD Advisory· Published Oct 2, 2019· Updated Aug 5, 2024

CVE-2019-17091

Description

faces/context/PartialViewContextImpl.java in Eclipse Mojarra, as used in Mojarra for Eclipse EE4J before 2.3.10 and Mojarra JavaServer Faces before 2.2.20, allows Reflected XSS because a client window field is mishandled.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Reflected XSS in Eclipse Mojarra JSF due to improper handling of client window field, allowing script injection in the context of the application.

Vulnerability

Overview

The vulnerability resides in faces/context/PartialViewContextImpl.java of Eclipse Mojarra, the reference implementation of JavaServer Faces (JSF). The bug is a reflected cross-site scripting (XSS) issue caused by improper handling of the client window field. This field, which can be influenced by user input, is not sufficiently sanitized before being included in the page response, allowing an attacker to inject arbitrary JavaScript[1][2].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL or form submission that includes a manipulated javax.faces.ClientWindow parameter or similar. The victim needs to be tricked into clicking such a link or visiting a malicious page. No authentication is required, but the victim must be logged into the target application for the injected script to execute in the application's security context[3][4].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser within the context of the JSF application. This can lead to session hijacking, manipulation of application content, redirection to malicious sites, or other attacks performed on behalf of the victim[3].

Mitigation

Eclipse Mojarra has addressed this vulnerability in version 2.3.10 and 2.2.20. Users are advised to upgrade to these or later versions. Workarounds include implementing custom filters or input validation to sanitize client window parameters[2][4].

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.glassfish:javax.facesMaven	< 2.2.20	2.2.20
org.glassfish:jakarta.facesMaven	< 2.3.10	2.3.10

Affected products

Eclipse/Mojarradescription
Oracle Corporation/Mojarrallm-fuzzy
Range: <2.3.10
ghsa-coords2 versions
pkg:maven/org.glassfish/jakarta.faces pkg:maven/org.glassfish/javax.faces
< 2.3.10+ 1 more
- (no CPE)range: < 2.3.10
- (no CPE)range: < 2.2.20

Patches

e22ed3cd5373

Prepare release org.glassfish:jakarta.faces:2.3.10

https://github.com/eclipse-ee4j/mojarraEclipse Mojarra BotJul 10, 2019via osv

commit

6 files changed · +6 −6

api/pom.xml+1 −1 modified

@@ -33,7 +33,7 @@
     <parent>
         <groupId>org.glassfish</groupId>
         <artifactId>mojarra-parent</artifactId>
-        <version>2.3.10-SNAPSHOT</version>
+        <version>2.3.10</version>
     </parent>
     
     <groupId>jakarta.faces</groupId>

impl/pom.xml+1 −1 modified

@@ -34,7 +34,7 @@
     <parent>
         <groupId>org.glassfish</groupId>
         <artifactId>mojarra-parent</artifactId>
-        <version>2.3.10-SNAPSHOT</version>
+        <version>2.3.10</version>
     </parent>
     
     <artifactId>jakarta.faces</artifactId>

jsf-tools/pom.xml+1 −1 modified

@@ -25,7 +25,7 @@
     <parent>
         <groupId>org.glassfish</groupId>
         <artifactId>mojarra-parent</artifactId>
-        <version>2.3.10-SNAPSHOT</version>
+        <version>2.3.10</version>
     </parent>
    
     <groupId>com.sun.faces.build</groupId>

pom.xml+1 −1 modified

@@ -27,7 +27,7 @@
     
     <groupId>org.glassfish</groupId>
     <artifactId>mojarra-parent</artifactId>
-    <version>2.3.10-SNAPSHOT</version>
+    <version>2.3.10</version>
     <packaging>pom</packaging>
     
     <name>Mojarra ${project.version} - Project</name>

test/pom.xml+1 −1 modified

@@ -193,7 +193,7 @@
         <dependency>
             <groupId>com.sun.faces</groupId>
             <artifactId>util</artifactId>
-            <version>2.3.10-SNAPSHOT</version>
+            <version>2.3.10</version>
             <scope>test</scope>
         </dependency>
     </dependencies>

util/pom.xml+1 −1 modified

@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.glassfish</groupId>
         <artifactId>mojarra-parent</artifactId>
-        <version>2.3.10-SNAPSHOT</version>
+        <version>2.3.10</version>
     </parent>
     
     <groupId>com.sun.faces</groupId>

8f70f2bd024f

Merge pull request #4567 from ruolli/Issue_4556

https://github.com/eclipse-ee4j/mojarraRuolin LiMay 16, 2019via ghsa

commit PR #4567

1 file changed · +1 −1

impl/src/main/java/com/sun/faces/context/PartialViewContextImpl.java+1 −1 modified

@@ -511,7 +511,7 @@ private void renderState(FacesContext context) throws IOException {
         if (null != window) {
             String clientWindowId = Util.getClientWindowId(context);
             writer.startUpdate(clientWindowId);
-            writer.write(window.getId());
+            writer.writeText(window.getId(), null);
             writer.endUpdate();
         }
     }

a3fa9573789e

Fixes #4556 : HIGH-LEVEL VULNERABILITY WITHIN MOJARRA JSF V2.2

https://github.com/eclipse-ee4j/mojarraruolliMay 6, 2019via ghsa

commit

1 file changed · +1 −1

impl/src/main/java/com/sun/faces/context/PartialViewContextImpl.java+1 −1 modified

@@ -511,7 +511,7 @@ private void renderState(FacesContext context) throws IOException {
         if (null != window) {
             String clientWindowId = Util.getClientWindowId(context);
             writer.startUpdate(clientWindowId);
-            writer.write(window.getId());
+            writer.writeText(window.getId(), null);
             writer.endUpdate();
         }
     }

f61935cd39f3

https://github.com/javaserverfaces/mojarravia osv

commit

ae1c234d0a67

https://github.com/javaserverfaces/mojarravia osv

commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-rjhx-c9qh-qh8fghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-17091ghsaADVISORY
bugs.eclipse.org/bugs/show_bug.cgighsax_refsource_MISCWEB
github.com/eclipse-ee4j/mojarra/commit/8f70f2bd024f00ecd5b3dcca45df73edda29dceeghsax_refsource_MISCWEB
github.com/eclipse-ee4j/mojarra/commit/a3fa9573789ed5e867c43ea38374f4dbd5a8f81fghsax_refsource_MISCWEB
github.com/eclipse-ee4j/mojarra/compare/2.3.9-RELEASE...2.3.10-RELEASEghsax_refsource_MISCWEB
github.com/eclipse-ee4j/mojarra/issues/4556ghsax_refsource_MISCWEB
github.com/eclipse-ee4j/mojarra/pull/4567ghsax_refsource_MISCWEB
github.com/javaserverfaces/mojarra/commit/ae1c234d0a6750822ac69d4ae26d90e3571f27femitrex_refsource_MISC
github.com/javaserverfaces/mojarra/commit/f61935cd39f34329fbf27b1972a506fbdd0ab4d4mitrex_refsource_MISC
github.com/javaserverfaces/mojarra/compare/2.2.19...2.2.20ghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpuapr2020.htmlmitrex_refsource_MISC
www.oracle.com/security-alerts/cpujan2020.htmlmitrex_refsource_MISC
www.oracle.com/security-alerts/cpujan2021.htmlmitrex_refsource_MISC
www.oracle.com/security-alerts/cpujan2022.htmlmitrex_refsource_MISC
www.oracle.com/security-alerts/cpujul2020.htmlmitrex_refsource_MISC
www.oracle.com/security-alerts/cpuoct2020.htmlmitrex_refsource_MISC
www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlmitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.004
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000