VulnerableCode Package Details - pkg:deb/debian/mojarra@2.2.8-6?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-132f-p6xh-4ydm	Oracle Mojarra uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack, a related issue to CVE-2010-2057.	CVE-2010-4007
VCID-1rtf-aum8-33hg	Mojarra: deployed web applications can read FacesContext from other applications under certain conditions	CVE-2012-2672
VCID-5sf4-cx8k-guae	Cross-site Scripting in Eclipse Mojarra faces/context/PartialViewContextImpl.java in Eclipse Mojarra, as used in Mojarra for Eclipse EE4J before 2.3.10 and Mojarra JavaServer Faces, allows Reflected XSS because a client window field is mishandled.	CVE-2019-17091 GHSA-rjhx-c9qh-qh8f
VCID-aj1q-r1y1-bkbh	Directory traversal This package allow remote attackers to read arbitrary files via a `..` in the `ln` parameter to `faces/javax.faces.resource/web.xml` or the `PATH_INFO` to `faces/javax.faces.resource/`.	CVE-2011-4367 GHSA-gjfx-9wx3-j6r7
VCID-qyr6-8ydt-dfaa	injection: includeViewParameters re-evaluates param/model values as EL expressions	CVE-2011-4358
VCID-s1tt-jj2t-5yc9	XSS due to insufficient escaping of user-supplied content in outputText tags and EL expressions This package does not perform appropriate encoding when a `<h:outputText>` tag or EL expression is used after a scriptor style block, which allows remote attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors.	CVE-2013-5855 GHSA-3m3r-82gc-53mj
VCID-tbhh-2tte-kkdk	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Directory traversal in Eclipse Mojarra before 2.3.14 allows attackers to read arbitrary files via the loc parameter or con parameter.	CVE-2020-6950 GHSA-rpq8-mmwh-q9hm
VCID-ud7m-cc54-3qbv	The getLocalePrefix function in ResourceManager.java in Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter. A remote attacker can download configuration files or Java bytecodes from applications.	CVE-2018-14371 GHSA-43q7-q5vp-3g68

Vulnerability

Summary

Aliases

VCID-132f-p6xh-4ydm

Oracle Mojarra uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack, a related issue to CVE-2010-2057.

CVE-2010-4007

VCID-1rtf-aum8-33hg

Mojarra: deployed web applications can read FacesContext from other applications under certain conditions

CVE-2012-2672

VCID-5sf4-cx8k-guae

Cross-site Scripting in Eclipse Mojarra faces/context/PartialViewContextImpl.java in Eclipse Mojarra, as used in Mojarra for Eclipse EE4J before 2.3.10 and Mojarra JavaServer Faces, allows Reflected XSS because a client window field is mishandled.

CVE-2019-17091
GHSA-rjhx-c9qh-qh8f

VCID-aj1q-r1y1-bkbh

Directory traversal This package allow remote attackers to read arbitrary files via a `..` in the `ln` parameter to `faces/javax.faces.resource/web.xml` or the `PATH_INFO` to `faces/javax.faces.resource/`.

CVE-2011-4367
GHSA-gjfx-9wx3-j6r7

VCID-qyr6-8ydt-dfaa

injection: includeViewParameters re-evaluates param/model values as EL expressions

CVE-2011-4358

VCID-s1tt-jj2t-5yc9

XSS due to insufficient escaping of user-supplied content in outputText tags and EL expressions This package does not perform appropriate encoding when a `<h:outputText>` tag or EL expression is used after a scriptor style block, which allows remote attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors.

CVE-2013-5855
GHSA-3m3r-82gc-53mj

VCID-tbhh-2tte-kkdk

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Directory traversal in Eclipse Mojarra before 2.3.14 allows attackers to read arbitrary files via the loc parameter or con parameter.

CVE-2020-6950
GHSA-rpq8-mmwh-q9hm

VCID-ud7m-cc54-3qbv

The getLocalePrefix function in ResourceManager.java in Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter. A remote attacker can download configuration files or Java bytecodes from applications.

CVE-2018-14371
GHSA-43q7-q5vp-3g68

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T12:52:54.926522+00:00	Debian Importer	Fixing	VCID-1rtf-aum8-33hg	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T11:46:26.511324+00:00	Debian Importer	Fixing	VCID-ud7m-cc54-3qbv	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T11:35:25.412282+00:00	Debian Importer	Fixing	VCID-aj1q-r1y1-bkbh	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T11:29:20.790050+00:00	Debian Importer	Fixing	VCID-s1tt-jj2t-5yc9	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T11:17:33.371535+00:00	Debian Importer	Fixing	VCID-qyr6-8ydt-dfaa	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:32:06.857414+00:00	Debian Importer	Fixing	VCID-5sf4-cx8k-guae	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:28:12.487672+00:00	Debian Importer	Fixing	VCID-132f-p6xh-4ydm	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T08:38:37.173444+00:00	Debian Importer	Fixing	VCID-tbhh-2tte-kkdk	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T08:50:34.695439+00:00	Debian Importer	Fixing	VCID-1rtf-aum8-33hg	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T08:01:44.344517+00:00	Debian Importer	Fixing	VCID-ud7m-cc54-3qbv	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:54:08.710524+00:00	Debian Importer	Fixing	VCID-aj1q-r1y1-bkbh	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:49:44.726050+00:00	Debian Importer	Fixing	VCID-s1tt-jj2t-5yc9	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:40:56.960306+00:00	Debian Importer	Fixing	VCID-qyr6-8ydt-dfaa	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:21:27.385254+00:00	Debian Importer	Fixing	VCID-5sf4-cx8k-guae	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:18:56.021088+00:00	Debian Importer	Fixing	VCID-132f-p6xh-4ydm	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T17:48:42.514830+00:00	Debian Importer	Fixing	VCID-tbhh-2tte-kkdk	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:46:04.062286+00:00	Debian Importer	Fixing	VCID-tbhh-2tte-kkdk	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:46:04.042043+00:00	Debian Importer	Fixing	VCID-5sf4-cx8k-guae	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:46:04.021809+00:00	Debian Importer	Fixing	VCID-ud7m-cc54-3qbv	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:46:04.000068+00:00	Debian Importer	Fixing	VCID-s1tt-jj2t-5yc9	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:46:03.974535+00:00	Debian Importer	Fixing	VCID-1rtf-aum8-33hg	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:46:03.951302+00:00	Debian Importer	Fixing	VCID-aj1q-r1y1-bkbh	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:46:03.928588+00:00	Debian Importer	Fixing	VCID-qyr6-8ydt-dfaa	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:46:03.904145+00:00	Debian Importer	Fixing	VCID-132f-p6xh-4ydm	https://security-tracker.debian.org/tracker/data/json	38.1.0