CVE-2018-14667

Name of the Vulnerable Software and Affected Versions RichFaces Framework versions 3.X through 3.3.4

Description The RichFaces Framework is susceptible to Expression Language (EL) injection through the UserResource resource. A remote, unauthenticated attacker can potentially execute arbitrary code by exploiting a chain of Java serialized objects via org.ajax4jsf.resource.UserResource$UriData. This issue is currently being exploited in attacks, as indicated by CISA advisories.

Recommendations Versions prior to 3.4 are affected.