Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) com.sun.faces:jsf-impl is a master POM file for Oracle's Implementation of the JSF 2.0 Specification. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via `faces/context/PartialViewContextImpl.java`, due to the client window field being mishandled. How to fix Cross-site Scripting (XSS)? Upgrade `com.sun.faces:jsf-impl` to version 2.2.20 or higher.	[,2.2.20)
M Cross-site Scripting (XSS) `com.sun.faces:jsf-impl` Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks due to insufficient escaping of user supplied input to the `<h:outputText>` and EL expressions. Oracle Mojarra JSF 2.2.x before 2.2.6 and 2.1.x before 2.1.28 does not perform appropriate encoding when a (1) `<h:outputText>` tag or (2) EL expression is used after a scriptor style block, which allows remote attackers to conduct Cross-site Scripting (XSS) attacks via application-specific vectors.	[2.0.0,2.2.6)

Cross-site Scripting (XSS)

com.sun.faces:jsf-impl is a master POM file for Oracle's Implementation of the JSF 2.0 Specification.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via faces/context/PartialViewContextImpl.java, due to the client window field being mishandled.

How to fix Cross-site Scripting (XSS)?

Upgrade com.sun.faces:jsf-impl to version 2.2.20 or higher.

[,2.2.20)

Cross-site Scripting (XSS)

com.sun.faces:jsf-impl

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks due to insufficient escaping of user supplied input to the <h:outputText> and EL expressions. Oracle Mojarra JSF 2.2.x before 2.2.6 and 2.1.x before 2.1.28 does not perform appropriate encoding when a (1) <h:outputText> tag or (2) EL expression is used after a scriptor style block, which allows remote attackers to conduct Cross-site Scripting (XSS) attacks via application-specific vectors.

[2.0.0,2.2.6)

Go back to all versions of this package