Apache Myfaces vulnerabilities

5 known vulnerabilities affecting apache/myfaces.

Total CVEs

5

CISA KEV

0

Public exploits

1

Exploited in wild

0

Severity breakdown

HIGH2MEDIUM3

Vulnerabilities

Page 1 of 1

CVE-2021-26296HIGHCVSS 7.5≥ 2.2.0, ≤ 2.2.13≥ 2.3.0, ≤ 2.3.7+2 more2021-02-19

CVE-2021-26296 [HIGH] CWE-352 CVE-2021-26296: In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use th

CVE-2011-4343HIGHCVSS 7.5v2.0.1v2.0.2+13 more2017-08-08

CVE-2011-4343 [HIGH] CWE-200 CVE-2011-4343: Information disclosure vulnerability in Apache MyFaces Core 2.0.1 through 2.0.10 and 2.1.0 through 2 Information disclosure vulnerability in Apache MyFaces Core 2.0.1 through 2.0.10 and 2.1.0 through 2.1.4 allows remote attackers to inject EL expressions via crafted parameters.

CVE-2011-4367MEDIUMCVSS 5.0PoC≥ 2.0.1, ≤ 2.0.11≥ 2.1.0, ≤ 2.1.52014-06-19

CVE-2011-4367 [MEDIUM] CWE-22 CVE-2011-4367: Multiple directory traversal vulnerabilities in MyFaces JavaServer Faces (JSF) in Apache MyFaces Cor Multiple directory traversal vulnerabilities in MyFaces JavaServer Faces (JSF) in Apache MyFaces Core 2.0.x before 2.0.12 and 2.1.x before 2.1.6 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) ln parameter to faces/javax.faces.resource/web.xml or (2) the PATH_INFO to faces/javax.faces.resource/.

CVE-2010-2057MEDIUMCVSS 5.0v1.1.0v1.1.1+14 more2010-10-20

CVE-2010-2057 [MEDIUM] CWE-310 CVE-2010-2057: shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x befo shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1 uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack.

CVE-2010-2086MEDIUMCVSS 4.0v1.1.7v1.2.82010-05-27

CVE-2010-2086 [MEDIUM] CWE-79 CVE-2010-2086: Apache MyFaces 1.1.7 and 1.2.8, as used in IBM WebSphere Application Server and other applications, Apache MyFaces 1.1.7 and 1.2.8, as used in IBM WebSphere Application Server and other applications, does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object.

Apache Myfaces vulnerabilities | cvebase