98 matches found
Apache MyFaces - 'ln' Information Disclosure
source: https://www.securityfocus.com/bid/51939/info Apache MyFaces is prone to a remote information-disclosure vulnerability. Remote attackers can exploit this issue to obtain sensitive information that may aid in further attacks. The following versions are affected: Apache MyFaces 2.0.1 through...
Apache MyFaces 2.0 / 2.1 Information Disclosure
-------------------------------------------------------------------------------------------------- CVE-2011-4343: Apache MyFaces information disclosure vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: MyFaces Core 2.0.1 to 2.0.10 MyFaces Core 2.1.0 to...
Apache MyFaces EL表达式求值安全绕过漏洞
Bugtraq ID: 50848 CVE ID:CVE-2011-4359 Apache MyFaces是一款JavaServer Faces技术开源实现。 Apache MyFaces存在安全漏洞,允许恶意用户绕过部分安全限制。 问题是由于解析Java Bean中的参数存在错误,可导致部分参数以EL表达式语言表达式求值。 成功利用漏洞需要Java Bean中"includeViewParameters"设置为"true"。 Apache MyFaces 2.1.x 厂商解决方案 用户可参考如下供应商提供的安全公告获得补丁信息:...
CVE-2010-2057
shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1 uses an encrypted View State without a Message Authentication Code MAC, which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracl...
Authentication flaw
shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1 uses an encrypted View State without a Message Authentication Code MAC, which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracl...
CVE-2010-2057
shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1 uses an encrypted View State without a Message Authentication Code MAC, which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracl...
CVE-2010-2057
CVE-2010-2057 affects Apache MyFaces: shared/util/StateUtils.java uses an encrypted View State without a Message Authentication Code (MAC) in MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1. The underlying issue is lack of MAC protection on the serialized View State, enabli...
Apache MyFaces ViewState远程跨站脚本漏洞
CVE ID: CVE-2010-2086 Apache MyFaces是JavaServer Faces标准的开源实现。 在没有加密view state的情况下,远程攻击者就可以通过在请求中向Apache MyFaces提供新的或修改的view对象执行跨站脚本或任意EL语句。成功利用这个漏洞要求修改非明文存储的序列化view对象。 Apache Group MyFaces 1.2.8 Apache Group MyFaces 1.1.7 厂商补丁: Apache Group ------------...
CVE-2010-2086
Apache MyFaces 1.1.7 and 1.2.8, as used in IBM WebSphere Application Server and other applications, does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting XSS attacks or execute arbitrary Expression Language EL statements via vectors that...
Cross site scripting
Apache MyFaces 1.1.7 and 1.2.8, as used in IBM WebSphere Application Server and other applications, does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting XSS attacks or execute arbitrary Expression Language EL statements via vectors that...
CVE-2010-2086
Apache MyFaces 1.1.7 and 1.2.8, as used in IBM WebSphere Application Server and other applications, does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting XSS attacks or execute arbitrary Expression Language EL statements via vectors that...
Cross site scripting
Multiple cross-site scripting XSS vulnerabilities in certain JSF applications in Apache MyFaces Tomahawk before 1.1.6 allow remote attackers to inject arbitrary web script via the autoscroll parameter, which is injected into Javascript that is sent to the client...
CVE-2007-3101
Multiple cross-site scripting XSS vulnerabilities in certain JSF applications in Apache MyFaces Tomahawk before 1.1.6 allow remote attackers to inject arbitrary web script via the autoscroll parameter, which is injected into Javascript that is sent to the client...
CVE-2007-3101
Multiple cross-site scripting XSS vulnerabilities in certain JSF applications in Apache MyFaces Tomahawk before 1.1.6 allow remote attackers to inject arbitrary web script via the autoscroll parameter, which is injected into Javascript that is sent to the client...
CVE-2007-3101
CVE-2007-3101 corresponds to XSS in Apache MyFaces Tomahawk JSF framework prior to 1.1.6. The vulnerability arises from unsanitized autoscroll input that is injected into Javascript sent to clients, enabling remote script execution in the user’s browser. Remediation: upgrade to MyFaces Tomahawk 1...
Apache MyFaces Tomahawk JSF架构Autoscroll参数跨站脚本漏洞
Java Server Faces, JSF是一款用于建立服务端GUI WEB应用程序的架构。 Java Server Faces, JSF不正确过滤用户提交的HTTP请求,远程攻击者可以利用漏洞进行跨站脚本攻击,获得敏感信息。 当从POST或者GET请求解析'autoscroll'参数时,由于不充分过滤,可导致提交恶意脚本代码作为参数,当其他用户解析时可泄露敏感信息。 Apache MyFaces Tomahawk 1.1.5 升级程序: Apache MyFaces Tomahawk 1.1.5 Apache tomahawk-1.1.6-bin.tar.gz...
Apache MyFaces Tomahawk crossite scripting
Crossite scripting on 'autoscroll' parameter...
iDefense Security Advisory 06.14.07: Apache MyFaces Tomahawk JSF Framework Cross-Site Scripting (XSS) Vulnerability
Apache MyFaces Tomahawk JSF Framework Cross-Site Scripting XSS Vulnerability iDefense Security Advisory 06.14.07 http://labs.idefense.com/intelligence/vulnerabilities/ Jun 14, 2007 I. BACKGROUND Java Server Faces, JSF, is a framework used to create server side GUI Web applications. It is comparab...