[seam-issues] [JBoss JIRA] (JBSEAM-4844) Seam 2 does not properly block access to EL expressions

Seam 2 does not properly block access to EL expressions ------------------------------------------------------- Key: JBSEAM-4844 URL: https://issues.jboss.org/browse/JBSEAM-4844 Project: Seam 2 Issue Type: Bug Components: EL Affects Versions: 2.2.0.GA, 2.2.1.Final, 2.2.2.Final Reporter: Marek Novotny Assignee: Marek Novotny Fix For: 2.3.0.ALPHA Seam 2 does not properly block access to JBoss Expression Language (EL) constructs in page exception handling, allowing arbitrary Java methods to be executed. A remote attacker could use this flaw to execute arbitrary code via a specially-crafted URL provided to certain applications based on the JBoss Seam 2 framework. Note: A properly configured and enabled Java Security Manager would prevent exploitation of this flaw. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1484)