iDefense Security Advisory 06.14.07 - Remote exploitation of an input validation vulnerability in Apache Software Foundation's MyFaces Tomahawk JSF framework could allow an attacker to perform a cross-site scripting (XSS) attack. The code responsible for parsing HTTP requests is vulnerable to an XSS vulnerability. When parsing the 'autoscroll' parameter from a POST or GET request, the value of this variable is directly inserted into JavaScript that is sent back to the client. This allows an attacker to run arbitrary JavaScript in the context of the affected domain of the MyFaces application being targeted. iDefense has confirmed the existence of this vulnerability in MyFaces Tomahawk version 1.1.5. Previous versions may also be affected.
244283775e3ba1442966782ad515ee3b4e94173b27931fb11f8a1cb4f498d173