com.sun.faces:jsf-impl@2.0.9 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the com.sun.faces:jsf-impl package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) com.sun.faces:jsf-impl is a master POM file for Oracle's Implementation of the JSF 2.0 Specification. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via `faces/context/PartialViewContextImpl.java`, due to the client window field being mishandled. How to fix Cross-site Scripting (XSS)? Upgrade `com.sun.faces:jsf-impl` to version 2.2.20 or higher.	[,2.2.20)
M Cross-site Scripting (XSS) `com.sun.faces:jsf-impl` Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks due to insufficient escaping of user supplied input to the `<h:outputText>` and EL expressions. Oracle Mojarra JSF 2.2.x before 2.2.6 and 2.1.x before 2.1.28 does not perform appropriate encoding when a (1) `<h:outputText>` tag or (2) EL expression is used after a scriptor style block, which allows remote attackers to conduct Cross-site Scripting (XSS) attacks via application-specific vectors.	[2.0.0,2.2.6)
M XML External Entity (XXE) Injection `com.sun.faces:jsf-impl` XXE vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via XXE attacks related to Java Server Faces or Web Container.	[2.0.0,2.1.18]