CVE-2013-5855
- EPSS 2.75%
- Published 17.07.2014 05:10:13
- Last modified 12.04.2025 10:46:40
Oracle Mojarra 2.2.x before 2.2.6 and 2.1.x before 2.1.28 does not perform appropriate encoding when a (1) <h:outputText> tag or (2) EL expression is used after a scriptor style block, which allows remote attackers to conduct cross-site scripting (XS...
CVE-2012-2672
- EPSS 0.06%
- Published 17.06.2012 03:41:41
- Last modified 11.04.2025 00:51:21
Oracle Mojarra 2.1.7 does not properly "clean up" the FacesContext reference during startup, which allows local users to obtain context information an access resources from another WAR file by calling the FacesContext.getCurrentInstance function.
- EPSS 0.33%
- Published 20.10.2010 18:00:04
- Last modified 11.04.2025 00:51:21
Oracle Mojarra uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack, a related issue to CVE-2010-2057.
CVE-2010-2087
- EPSS 0.18%
- Published 27.05.2010 19:00:01
- Last modified 11.04.2025 00:51:21
Oracle Mojarra 1.2_14 and 2.0.2, as used in IBM WebSphere Application Server, Caucho Resin, and other applications, does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting (XSS) attacks or exe...