CyberSec.Space Logo
返回 CVE 浏览器

CVE-2018-12532

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.1410%
EPSS Percentile0.98th
Published2018年6月18日
Last Modified2024年11月21日

Vulnerability Description

JBoss RichFaces 4.5.3 through 4.5.17 allows unauthenticated remote attackers to inject an arbitrary expression language (EL) variable mapper and execute arbitrary Java code via a MediaOutputResource's resource request, aka RF-14309.

Affected Platforms (CPE)

📦
Redhat

Richfaces

>= 4.5.3 and <= 4.5.17

References & Advisories

🔗 http://seclists.org/fulldisclosure/2020/Mar/21
🔗 http://www.securityfocus.com/bid/104503
🔗 https://codewhitesec.blogspot.com/2018/05/poor-richfaces.html
🔗 http://seclists.org/fulldisclosure/2020/Mar/21
🔗 http://www.securityfocus.com/bid/104503
🔗 https://codewhitesec.blogspot.com/2018/05/poor-richfaces.html

相关漏洞威胁

CVE-2018-125339.8

JBoss RichFaces 3.1.0 through 3.3.4 allows unauthenticated remote attackers to inject expression language (EL) expressions and exe...

CVE-2018-146679.8

The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A rem...

CVE-2013-45219.8

RichFaces implementation in Nuxeo Platform 5.6.0 before HF27 and 5.8.0 before HF-01 does not restrict the classes for which deseri...

CVE-2013-21657.5

ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat ...