Описание
In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application.
Ссылки
- ExploitThird Party AdvisoryVDB Entry
- Mailing ListThird Party Advisory
- Mailing ListVendor Advisory
- Third Party Advisory
- ExploitThird Party AdvisoryVDB Entry
- Mailing ListThird Party Advisory
- Mailing ListVendor Advisory
- Third Party Advisory
Уязвимые конфигурации
Одно из
EPSS
7.5 High
CVSS3
5.1 Medium
CVSS2
Дефекты
Связанные уязвимости
In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application.
EPSS
7.5 High
CVSS3
5.1 Medium
CVSS2