org.apache.myfaces.core:myfaces-core-project@2.2.12 vulnerabilities
-
latest version
4.0.2
-
latest non vulnerable version
-
first published
18 years ago
-
latest version published
3 months ago
-
licenses detected
- [1.1.2,)
-
package manager
Direct Vulnerabilities
Known vulnerabilities in the org.apache.myfaces.core:myfaces-core-project package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.Vulnerability | Vulnerable Version |
---|---|
org.apache.myfaces.core:myfaces-core-project is a MyFaces implementation of the JavaServer Faces 2.3 specification, and consists of an API module (javax.faces.* classes) and an implementation module (org.apache.myfaces.* classes). Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). In the default configuration, Apache MyFaces Core uses cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application. How to fix Cross-site Request Forgery (CSRF)? Upgrade |
[,2.0.25)
[2.1.0,2.2.14)
[2.3.0,2.3.8)
[2.3-next-M1,2.3-next-M5)
[3.0.0-RC1,3.0.0)
|
Affected versions of How to fix Deserialization of Untrusted Data? Upgrade |
[,2.3.0)
|