CVSS: 5.0EPSS: 93%CPEs: 2EXPL: 4CVE-2011-4367 – Apache MyFaces - 'ln' Information Disclosure
https://notcve.org/view.php?id=CVE-2011-4367
Multiple directory traversal vulnerabilities in MyFaces JavaServer Faces (JSF) in Apache MyFaces Core 2.0.x before 2.0.12 and 2.1.x before 2.1.6 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) ln parameter to faces/javax.faces.resource/web.xml or (2) the PATH_INFO to faces/javax.faces.resource/. Múltiples vulnerabilidades de salto de directorio en MyFaces JavaServer Faces (JSF) en Apache MyFaces Core 2.0.x anterior a 2.0.12 y 2.1.x anterior a 2.1.6 permiten a atacantes remotos leer ficheros arbitrarios a través de un .. (punto punto) en (1) el parámetro ln en faces/javax.faces.resource/web.xml o (2) PATH_INFO en faces/javax.faces.resource/. Apache MyFaces Core versions 2.0.1 to 2.0.11 and 2.1.0 to 2.1.5 suffer from a remote file disclosure vulnerability. • https://www.exploit-db.com/exploits/36681 http://mail-archives.apache.org/mod_mbox/myfaces-announce/201202.mbox/%3C4F33ED1F.4070007%40apache.org%3E http://osvdb.org/show/osvdb/79002 http://seclists.org/fulldisclosure/2012/Feb/150 http://secunia.com/advisories/47973 http://www.securityfocus.com/bid/51939 https://exchange.xforce.ibmcloud.com/vulnerabilities/73100 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 15EXPL: 0CVE-2011-4343 – Apache MyFaces 2.0 / 2.1 Information Disclosure
https://notcve.org/view.php?id=CVE-2011-4343
Information disclosure vulnerability in Apache MyFaces Core 2.0.1 through 2.0.10 and 2.1.0 through 2.1.4 allows remote attackers to inject EL expressions via crafted parameters. Una vulnerabilidad de revelación de información en Apache MyFaces Core en sus versiones 2.0.1 a2.0.10 y 2.1.0 a 2.1.4 permite que atacantes remotos inyecten expresiones EL mediante parámetros manipulados. Apache MyFaces Core versions 2.0.1 through 2.0.10 and versions 2.1.0 through 2.1.4 suffer from an information disclosure vulnerability. • http://marc.info/?l=full-disclosure&m=132313252814362 http://www.securitytracker.com/id/1039695 https://issues.apache.org/jira/secure/attachment/12504807/MYFACES-3405-1.patch • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •