org.glassfish.jsftemplating:jsftemplating 4.0.4

Direct Vulnerabilities

Known vulnerabilities in the org.glassfish.jsftemplating:jsftemplating package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') Affected versions of this package are vulnerable to Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') in the admin console endpoints (such as `/web/configuration/virtualServerEdit.jsf`). An attacker can execute arbitrary system commands and invoke `java.lang.Runtime` by injecting a specially crafted EL expressions into `alertSummary` and `alertDetail` parameters. How to fix Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')? Upgrade `org.glassfish.jsftemplating:jsftemplating` to version 4.2.0 or higher.	[,4.2.0)
M Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') Affected versions of this package are vulnerable to Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') in the server-side template rendering mechanism used by the gadget handler. An attacker can execute arbitrary commands, read/modify data by sending a specially crafted gadget URL with injected expressions such as `#{7*7}` to an authenticated administrator. How to fix Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')? Upgrade `org.glassfish.jsftemplating:jsftemplating` to version 4.2.0 or higher.	[,4.2.0)

Vulnerability

Vulnerable Version

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') in the admin console endpoints (such as /web/configuration/virtualServerEdit.jsf). An attacker can execute arbitrary system commands and invoke java.lang.Runtime by injecting a specially crafted EL expressions into alertSummary and alertDetail parameters.

How to fix Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')?

Upgrade org.glassfish.jsftemplating:jsftemplating to version 4.2.0 or higher.

[,4.2.0)

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') in the server-side template rendering mechanism used by the gadget handler. An attacker can execute arbitrary commands, read/modify data by sending a specially crafted gadget URL with injected expressions such as #{7*7} to an authenticated administrator.

How to fix Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')?

Upgrade org.glassfish.jsftemplating:jsftemplating to version 4.2.0 or higher.

[,4.2.0)

org.glassfish.jsftemplating:jsftemplating@4.0.4

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically