CVE-2010-1871

HIGH
2010-08-05 [email protected]
8.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 26, 2026 - 11:17 vuln.today
Added to CISA KEV
Oct 22, 2025 - 01:15 cisa
CISA KEV
PoC Detected
Oct 22, 2025 - 01:15 vuln.today
Public exploit code
CVE Published
Aug 05, 2010 - 13:23 nvd
HIGH 8.8

Description

JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. NOTE: this is only a vulnerability when the Java Security Manager is not properly configured.

Analysis

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to achieve arbitrary code execution via crafted URL parameters when the Java Security Manager is misconfigured.

Technical Context

The CWE-917 EL injection flaw allows attackers to inject arbitrary JBoss Expression Language expressions via URL parameters. These expressions are evaluated server-side, and when the Java Security Manager is absent or misconfigured, they can invoke arbitrary Java methods including Runtime.exec().

Affected Products

['JBoss Seam 2 (jboss-seam2)', 'JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux']

Remediation

Upgrade JBoss EAP and Seam framework. Configure the Java Security Manager to restrict expression evaluation. Apply Red Hat security errata patches.

Priority Score

218
Low Medium High Critical
KEV: +50
EPSS: +93.7
CVSS: +44
POC: +20

Share

CVE-2010-1871 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy