GCVE - cpe:2.3:a:apache:myfaces:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:apache:myfaces:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Apache (`b0303047-b7dd-5cf8-abcc-71b7d9d80b95`)
Product	Myfaces (`1bbda4ad-3e51-56c6-a46b-9825905d9c60`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:apache/myfaces`	purl2cpe	2026-06-01 10:14:25.070515
`pkg:github/apache/myfaces`	purl2cpe	2026-06-01 10:14:25.070517
`pkg:maven/org.apache.myfaces/myfaces`	purl2cpe	2026-06-01 10:14:25.070520
`pkg:rpm/opensuse/myfaces`	purl2cpe	2026-06-01 10:14:25.070523
`pkg:sourceforge/myfaces`	purl2cpe	2026-06-01 10:14:25.070526

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2021-26296`	vulnerable	2026-06-03 14:44:06.394169	Cross-Site Request Forgery (CSRF) vulnerability in Apache MyFaces In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application. Published: 2021-02-19T08:30:14.000Z Updated: 2025-02-13T16:27:52.470Z Open on db.gcve.eu Reference links https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E http://seclists.org/fulldisclosure/2021/Feb/66 http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html https://security.netapp.com/advisory/ntap-20210528-0007/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2011-4367`	vulnerable	2026-06-03 14:31:24.472816	Details available Multiple directory traversal vulnerabilities in MyFaces JavaServer Faces (JSF) in Apache MyFaces Core 2.0.x before 2.0.12 and 2.1.x before 2.1.6 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) ln parameter to faces/javax.faces.resource/web.xml or (2) the PATH_INFO to faces/javax.faces.resource/. Published: 2014-06-19T14:00:00.000Z Updated: 2024-08-07T00:09:18.301Z Open on db.gcve.eu Reference links http://seclists.org/fulldisclosure/2012/Feb/150 http://osvdb.org/show/osvdb/79002 https://exchange.xforce.ibmcloud.com/vulnerabilities/73100 http://secunia.com/advisories/47973 http://www.securityfocus.com/bid/51939	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.