104 matches found
CVE-2017-17837
CVE-2017-17837 affects the Apache DeltaSpike-JSF 1.8.0 module with a Cross‑Site Scripting (XSS) leak in how windowId is handled. The windowId is truncated after 10 characters by default, which can limit impact but still constitutes an XSS risk. A fix was released in Apache DeltaSpike 1.8.1 (delta...
CVE-2017-1583
IBM WebSphere Application Server IBM Liberty for Java for Bluemix 3.13could allow a remote attacker to obtain sensitive information caused by improper error handling by MyFaces in JSF...
CVE-2017-1583
CVE-2017-1583 affects IBM WebSphere Application Server (JSF MyFaces) via improper error handling in JSF, enabling a remote attacker to obtain sensitive information. The connected IBM bulletins indicate WebSphere products (Traditional/Liberty) are affected and provide fixes; however, the exact fix...
CVE-2017-1583
IBM WebSphere Application Server IBM Liberty for Java for Bluemix 3.13could allow a remote attacker to obtain sensitive information caused by improper error handling by MyFaces in JSF...
Remote Code Execution (RCE)
myfaces-impl is vulnerable to remote code execution RCE attacks. If the ViewState parameter in a JSF page is not encrypted, a malicious user can use it to inject arbitrary code that is executed when sent to the server to be deserialized...
Cross-site Scripting (XSS)
Mojarra JSF is vulnerable to cross-site scripting XSS attacks. These attacks are possible due to insufficient escaping of content in the outputText tags and the EL expressions...
CVE-2015-5176
The PortletRequestDispatcher in PortletBridge, as used in Red Hat JBoss Portal 6.2.0, does not properly enforce the security constraints of servlets, which allows remote attackers to gain access to resources via a request that asks to render a non-JSF resource...
Design/Logic Flaw
The PortletRequestDispatcher in PortletBridge, as used in Red Hat JBoss Portal 6.2.0, does not properly enforce the security constraints of servlets, which allows remote attackers to gain access to resources via a request that asks to render a non-JSF resource...
CVE-2015-5176
The PortletRequestDispatcher in PortletBridge, as used in Red Hat JBoss Portal 6.2.0, does not properly enforce the security constraints of servlets, which allows remote attackers to gain access to resources via a request that asks to render a non-JSF resource...
Important: Red Hat Security Advisory: Red Hat JBoss Fuse Service Works 6.0.0 security update
Red Hat JBoss Fuse Service Works 6.0.0 roll up patch 4, which fixes multiple security issues and various bugs, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System CVSS base score...
JSF: XSS due to insufficient escaping of user-supplied content in outputText tags and EL expressions
It was found that Mojarra JavaServer Faces did not properly escape user-supplied content in certain circumstances. Contents of outputText tags and raw EL expressions that immediately follow script or style elements were not escaped. A remote attacker could use a specially crafted URL to execute...
Important: Red Hat Security Advisory: Red Hat JBoss BRMS 6.0.3 security update
Red Hat JBoss BRMS 6.0.3 roll up patch 2, which fixes multiple security issues, several bugs, and adds various enhancements, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System...
Apache MyFaces Tomahawk JSF Framework 1.1.5 Autoscroll Parameter Cross Site Scripting Vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/24480/info Apache Tomahawk MyFaces JSF Framework is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. Exploiting this vulnerability may allow an attacker to launch...
JBoss RichFaces进行Push请求拒绝服务漏洞
CVE ID:CVE-2014-0086 JBoss RichFaces是一个具 Ajax和JSF特性的Web框架。 JBoss RichFaces在处理PushHandlerFilter类src/main/java/org/richfaces/webapp/PushHandlerFilter.java中的推送事件时存在错误,允许远程攻击者利用漏洞发送特制的畸形推送请求消耗系统内存资源,造成拒绝服务攻击。 0 JBoss RichFaces 4.3.4 目前没有详细解决方案提供: https://issues.jboss.org/browse/RF-13250...
JBoss RichFaces 远程代码执行漏洞(CVE-2013-2165)
Bugtraq ID:61085 CVE ID:CVE-2013-2165 JBoss RichFaces是一个具 Ajax和JSF特性的Web框架 RichFaces ResourceBuilderImpl处理反序列化存在在安全漏洞,允许远程攻击者利用此漏洞发送特殊数据,执行部署在服务器上任意可序列化类中的反序列化方法 此漏洞所产生的影响其严重程序取决于这些类的反序列化逻辑 0 JBoss RichFaces 厂商解决方案 用户可参考如下厂商提供的安全公告获得补丁信息: https://rhn.redhat.com/errata/RHSA-2013-1041.html...
Oracle GlassFish Server 3.0.1 < 3.0.1.7 / 3.1.2 < 3.1.2.5 Multiple Vulnerabilities (April 2013 CPU)
The version of GlassFish Server running on the remote host is affected by multiple vulnerabilities : - Cross-site scripting XSS vulnerabilities exist in its admin and rest interface. These vulnerabilities permit JavaScript to be run in the context of GlassFish, which may result in credentials of...
Important: Red Hat Security Advisory: JBoss Enterprise Application Platform 6.0.1 update
Updated JBoss Enterprise Application Platform 6.0.1 packages that fix multiple security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability...
[SECURITY] Fedora 17 Update: jabberd-2.2.14-4.fc17
The jabberd project aims to provide an open-source server implementation of the Jabber protocols for instant messaging and XML routing. The goal of this project is to provide a scalable, reliable, efficient and extensible server that provides a complete set of features and is up to date with the...
CVE-2011-4358
Unspecified vulnerability in Oracle GlassFish Enterprise Server 3.0.1 and 3.1.1 allows remote attackers to affect confidentiality and integrity, related to JSF...
CVE-2011-4358
Unspecified vulnerability in Oracle GlassFish Enterprise Server 3.0.1 and 3.1.1 allows remote attackers to affect confidentiality and integrity, related to JSF...