Oracle: >> Mojarra >> 2.1.7 Security Vulnerabilities
Oracle Mojarra 2.2.x before 2.2.6 and 2.1.x before 2.1.28 does not perform appropriate encoding when a (1) <h:outputText> tag or (2) EL expression is used after a scriptor style block, which allows remote attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors.
CVSS Score
4.3
EPSS Score
0.028
Published
2014-07-17
Oracle Mojarra 2.1.7 does not properly "clean up" the FacesContext reference during startup, which allows local users to obtain context information an access resources from another WAR file by calling the FacesContext.getCurrentInstance function.
CVSS Score
2.1
EPSS Score
0.001
Published
2012-06-17