CVE-2019-17091

faces/context/PartialViewContextImpl.java in Eclipse Mojarra, as used in Mojarra for Eclipse EE4J before 2.3.10 and Mojarra JavaServer Faces before 2.2.20, allows Reflected XSS because a client window field is mishandled.

Published: Oct 2, 2019
Updated: Nov 9, 2025
CVE: CVE-2019-17091
GHSA: GHSA-rjhx-c9qh-qh8f
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
eclipse / mojarra	2.3.0	2.3.10
oracle / mojarra_javaserver_faces	2.2.0	2.2.20
oracle / retail_service_backbone	15.0	15.0.x
oracle / retail_integration_bus	15.0	15.0.x
oracle / retail_merchandising_system	16.0	16.0.x
oracle / application_testing_suite	13.2.0.1	13.2.0.1.x
oracle / application_testing_suite	13.3.0.1	13.3.0.1.x
oracle / secure_global_desktop	5.4	5.4.x
oracle / health_sciences_information_manager	3.0	3.0.x
oracle / retail_integration_bus	16.0	16.0.x
oracle / enterprise_data_quality	12.2.1.3.0	12.2.1.3.0.x
oracle / retail_financial_integration	15.0	15.0.x
oracle / retail_financial_integration	16.0	16.0.x
oracle / communications_unified_inventory_management	7.4.0	7.4.0.x
oracle / primavera_p6_enterprise_project_portfolio_management	19.12.0.0	19.12.0.0.x
oracle / primavera_p6_enterprise_project_portfolio_management	16.1.0.0	16.2.19.0.x
oracle / primavera_p6_enterprise_project_portfolio_management	15.1.0.0	15.2.18.7.x
oracle / secure_global_desktop	5.5	5.5.x
oracle / rapid_planning	12.1	12.1.x
oracle / rapid_planning	12.2	12.2.x
oracle / communications_diameter_signaling_router	8.0.0.0	8.4.0.5.x
oracle / communications_unified_inventory_management	7.3.0	7.3.0.x
oracle / retail_bulk_data_integration	16.0.3.0	16.0.3.0.x
oracle / retail_service_backbone	16.0	16.0.x
oracle / communications_network_integrity	7.3.5	7.3.5.x
oracle / communications_network_integrity	7.3.6	7.3.6.x
oracle / banking_enterprise_product_manufacturing	2.7.0	2.7.0.x
oracle / banking_enterprise_product_manufacturing	2.8.0	2.8.0.x
oracle / retail_store_inventory_management	14.0.4	14.0.4.x
oracle / retail_store_inventory_management	14.1.3	14.1.3.x
oracle / retail_store_inventory_management	15.0.3	15.0.3.x
oracle / retail_store_inventory_management	16.0.3	16.0.3.x
oracle / retail_advanced_inventory_planning	15.0	15.0.x
oracle / retail_advanced_inventory_planning	16.0	16.0.x
oracle / retail_assortment_planning	16.0.3	16.0.3.x
oracle / time_and_labor	12.2.6	12.2.11.x
oracle / healthcare_data_repository	7.0	7.0.x
oracle / primavera_p6_enterprise_project_portfolio_management	18.1.0.0	18.8.15.0.x
oracle / retail_invoice_matching	16.0	16.0.x
oracle / primavera_p6_enterprise_project_portfolio_management	17.1.0.0	17.12.15.0.x
org.glassfish / javax.faces	-	2.2.20
org.glassfish / jakarta.faces	-	2.3.10

Vulnerability Database

300,445

CVE-2019-17091

Deep Security Visibility Without the Complexity