Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
myfaces vulnerabilities and exploits
(subscribe to this query)
455
VMScore
CVE-2021-26296
In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although diffic...
Apache Myfaces
Apache Myfaces 2.3
Apache Myfaces 3.0.0
Netapp Oncommand Insight -
2 Github repositories
445
VMScore
CVE-2017-1583
IBM WebSphere Application Server (IBM Liberty for Java for Bluemix 3.13)could allow a remote malicious user to obtain sensitive information caused by improper error handling by MyFaces in JSF.
Ibm Liberty 3.13
445
VMScore
CVE-2011-4343
Information disclosure vulnerability in Apache MyFaces Core 2.0.1 up to and including 2.0.10 and 2.1.0 up to and including 2.1.4 allows remote malicious users to inject EL expressions via crafted parameters.
Apache Myfaces 2.0.1
Apache Myfaces 2.1.3
Apache Myfaces 2.1.4
Apache Myfaces 2.0.4
Apache Myfaces 2.1.0
Apache Myfaces 2.0.7
Apache Myfaces 2.0.8
Apache Myfaces 2.1.1
Apache Myfaces 2.1.2
Apache Myfaces 2.0.9
Apache Myfaces 2.0.10
Apache Myfaces 2.0.2
Apache Myfaces 2.0.3
Apache Myfaces 2.0.5
Apache Myfaces 2.0.6
670
VMScore
CVE-2016-5019
CoreResponseStateManager in Apache MyFaces Trinidad 1.0.0 up to and including 1.0.13, 1.2.x prior to 1.2.15, 2.0.x prior to 2.0.2, and 2.1.x prior to 2.1.2 might allow malicious users to conduct deserialization attacks via a crafted serialized view state string.
Apache Myfaces Trinidad
505
VMScore
CVE-2011-4367
Multiple directory traversal vulnerabilities in MyFaces JavaServer Faces (JSF) in Apache MyFaces Core 2.0.x prior to 2.0.12 and 2.1.x prior to 2.1.6 allow remote malicious users to read arbitrary files via a .. (dot dot) in the (1) ln parameter to faces/javax.faces.resource/web.x...
Apache Myfaces
1 EDB exploit
445
VMScore
CVE-2010-2057
shared/util/StateUtils.java in Apache MyFaces 1.1.x prior to 1.1.8, 1.2.x prior to 1.2.9, and 2.0.x prior to 2.0.1 uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote malicious users to perform successful modifications of the...
Apache Myfaces 1.1.4
Apache Myfaces 1.1.5
Apache Myfaces 1.1.6
Apache Myfaces 1.1.7
Apache Myfaces 1.1.0
Apache Myfaces 1.1.2
Apache Myfaces 1.1.1
Apache Myfaces 1.1.3
Apache Myfaces 1.2.6
Apache Myfaces 1.2.7
Apache Myfaces 1.2.8
Apache Myfaces 1.2.2
Apache Myfaces 1.2.4
Apache Myfaces 1.2.3
Apache Myfaces 1.2.5
Apache Myfaces 2.0.0
356
VMScore
CVE-2010-2086
Apache MyFaces 1.1.7 and 1.2.8, as used in IBM WebSphere Application Server and other applications, does not properly handle an unencrypted view state, which allows remote malicious users to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) ...
Apache Myfaces 1.1.7
Apache Myfaces 1.2.8
435
VMScore
CVE-2007-3101
Multiple cross-site scripting (XSS) vulnerabilities in certain JSF applications in Apache MyFaces Tomahawk prior to 1.1.6 allow remote malicious users to inject arbitrary web script via the autoscroll parameter, which is injected into Javascript that is sent to the client.
Apache Myfaces Tomahawk
1 EDB exploit
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-38002
CVE-2006-4304
CVE-2024-4336
CVE-2024-33437
CVE-2024-4340
CVE-2024-27956
privilege
insecure direct object reference
XSS
item search icon">CVE-2024-25938
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started