Arbitrary Code Execution Vulnerability in JBoss RichFaces 4.5.3 through 4.5.17 (RF-14309)

CVE-2018-12532 · HIGH Severity

AV:N/AC:L/AU:N/C:P/I:P/A:P

JBoss RichFaces 4.5.3 through 4.5.17 allows unauthenticated remote attackers to inject an arbitrary expression language (EL) variable mapper and execute arbitrary Java code via a MediaOutputResource's resource request, aka RF-14309.

Learn more about our Web Application Penetration Testing UK.