Apache MyFaces Tomahawk JSF Application autoscroll Multiple XSS

This script is Copyright (C) 2007-2015 Tenable Network Security, Inc.

Synopsis :

The remote web server uses a JSP framework that is vulnerable to a
cross-site scripting attack.

Description :

The remote web server uses an implementation of the Apache MyFaces
Tomahawk JSF framework that fails to sanitize user-supplied input to
the 'autoScroll' parameter before using it to generate dynamic
content. An unauthenticated, remote attacker may be able to leverage
this issue to inject arbitrary HTML or script code into a user's
browser to be executed within the security context of the affected

See also :


Solution :

Upgrade to MyFaces Tomahawk version 1.1.6 or later.

Risk factor :

Medium / CVSS Base Score : 4.3
CVSS Temporal Score : 3.6
Public Exploit Available : true

Family: CGI abuses : XSS

Nessus Plugin ID: 25546 ()

Bugtraq ID: 24480

CVE ID: CVE-2007-3101