Leonardo Uribe

**Name of the Vulnerable Software and Affected Versions** Apache MyFaces versions 1.1.x through 1.1.7 Apache MyFaces versions 1.2.x through 1.2.8 Apache MyFaces versions 2.0.x through 2.0.0 **Description** The issue allows remote attackers to perform successful modifications of the View State via a padding oracle attack because `shared/util/StateUtils.java` uses an encrypted View State without a Message Authentication Code (MAC). **Recommendations** For Apache MyFaces versions 1.1.x through 1.1.7, update to version 1.1.8 or later. For Apache MyFaces versions 1.2.x through 1.2.8, update to version 1.2.9 or later. For Apache MyFaces versions 2.0.x through 2.0.0, update to version 2.0.1 or later.

**Name of the Vulnerable Software and Affected Versions** Oracle Mojarra (affected versions not specified) **Description** The issue concerns Oracle Mojarra, which uses an encrypted View State without a Message Authentication Code (MAC). This makes it easier for remote attackers to modify the View State via a padding oracle attack. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.