Vulnerabilities > Oracle > Mojarra
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2014-07-17 | CVE-2013-5855 | Cross-Site Scripting vulnerability in Oracle Mojarra Oracle Mojarra 2.2.x before 2.2.6 and 2.1.x before 2.1.28 does not perform appropriate encoding when a (1) <h:outputText> tag or (2) EL expression is used after a scriptor style block, which allows remote attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors. | 4.3 |
| 2012-06-17 | CVE-2012-2672 | Unspecified vulnerability in Oracle Mojarra 2.1.7 Oracle Mojarra 2.1.7 does not properly "clean up" the FacesContext reference during startup, which allows local users to obtain context information an access resources from another WAR file by calling the FacesContext.getCurrentInstance function. | 2.1 |
| 2010-10-20 | CVE-2010-4007 | Cryptographic Issues vulnerability in Oracle Mojarra Oracle Mojarra uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack, a related issue to CVE-2010-2057. | 5.0 |
| 2010-05-27 | CVE-2010-2087 | Cross-Site Scripting vulnerability in Oracle Mojarra 1.214/2.0.2 Oracle Mojarra 1.2_14 and 2.0.2, as used in IBM WebSphere Application Server, Caucho Resin, and other applications, does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object. | 4.3 |