Red Hat Security Advisory 2014-0462-01 - Red Hat JBoss Web Framework Kit combines popular open source web frameworks into a single solution for Java applications. The JBoss Seam Remoting component provides a convenient method for remotely accessing Seam components from a web page, using AJAX. It was found that JBoss Seam response envelopes included unsanitized parameter and ID names provided in the request. This allowed a request to inject arbitrary XML into the response. A remote attacker could use this flaw to perform reflected cross-site scripting attacks, provided the JBoss Seam remoting application did not use any cross-site request forgery protection.
a7f77a1d6c86ee29db8cf609f6d1db4c8b761f22f85aecd011aa370d3b1dbb3d