Encrypted view state does not include MAC
`shared/util/StateUtils.java` in this package uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack.
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description
Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
1
cwe_id
310
name
Cryptographic Issues
description
Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.
2
cwe_id
937
name
OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description
Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
3
cwe_id
287
name
Improper Authentication
description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.