CVE-2021-26296

CVE-2021-26296 affects Apache MyFaces CSRF in WebSphere Application Server family (WAS) and Liberty. IBM bulletins detail vulnerability as cross-site request forgery due to improper input validation, enabling unauthorized actions if an authenticated user visits a malicious site. Affected products...

CVE-2010-2086

Affected software: Apache MyFaces 1.1.7 and 1.2.8 (as used in IBM WebSphere Application Server and other apps). Vulnerability : Unencrypted view state handling allows remote attackers to perform cross-site scripting (XSS) or execute arbitrary EL statements by modifying the serialized view object....

CVE-2011-4343

CVE-2011-4343 is an information-disclosure vulnerability in the JavaServer Faces (JSF) / MyFaces component used by IBM WebSphere Application Server. It allows remote attackers to obtain sensitive information by injecting EL expressions via crafted input parameters. Public sources (IBM bulletins r...

CVE-2011-4367

This CVE concerns Apache MyFaces Core (JSF) path traversal in MyFaces JSF. Affected versions are Core 2.0.x before 2.0.12 and 2.1.x before 2.1.6. An attacker can read arbitrary files by supplying a .. sequence via the ln parameter to faces/javax.faces.resource/web.xml or via PATH_INFO to faces/ja...

CVE-2010-2057

CVE-2010-2057 affects Apache MyFaces: shared/util/StateUtils.java uses an encrypted View State without a Message Authentication Code (MAC) in MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1. The underlying issue is lack of MAC protection on the serialized View State, enabli...