VYPR
High severityNVD Advisory· Published Feb 19, 2021· Updated Feb 13, 2025

Cross-Site Request Forgery (CSRF) vulnerability in Apache MyFaces

CVE-2021-26296

Description

In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.myfaces.core:myfaces-core-moduleMaven
< 2.0.252.0.25
org.apache.myfaces.core:myfaces-core-moduleMaven
>= 2.1.0, < 2.1.192.1.19
org.apache.myfaces.core:myfaces-core-moduleMaven
>= 2.2.0, < 2.2.142.2.14
org.apache.myfaces.core:myfaces-core-moduleMaven
>= 2.3.0, < 2.3.82.3.8

Affected products

2

Patches

Vulnerability mechanics

References

9

News mentions

0

No linked articles in our index yet.