CVE-2018-14667
The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A remote,...
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- July 27, 2018
- Published Date
- November 06, 2018
- Last Updated
- February 07, 2025
- Vendor
- [UNKNOWN]
- Product
- RichFaces
- Description
- The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData.
CVSS Scores
CVSS v3.0
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SSVC Information
- Exploitation
- active
- Automatable
- Yes
- Technical Impact
- total
References
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| CISA | 2023-09-28 00:00:00 UTC |
Potential Proof of Concepts
Warning: These PoCs have not been tested and could contain malware. Use at your own risk.
Venscor/CVE-2018-14667-poc
Type: github • Created: 2019-09-23 07:45:01 UTC • Stars: 8
syriusbughunt/CVE-2018-14667
Type: github • Created: 2018-11-30 04:06:08 UTC • Stars: 50
r00t4dm/CVE-2018-14667
Type: github • Created: 2018-11-28 07:35:28 UTC • Stars: 1
zeroto01/CVE-2018-14667
Type: github • Created: 2018-11-23 06:44:49 UTC • Stars: 2