CVE-2021-26296

CVE-2021-26296: Cross-Site Request Forgery (CSRF) vulnerability in Apache MyFaces

Vendor Apache Software Foundation
Product Apache MyFaces Core
Weakness CWE-352 · CSRF
Published February 19, 2021
Last update February 13, 2025
View on NVD All CVEs

CVSS base score

What the vulnerability does

01Description

In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application.

Key dates

02Disclosure timeline

February 19, 2021 CVE published
February 13, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-25914 WordPress SMTP Mail Plugin <= 1.3.20 is vulnerable to Cross Site Request Forgery (CSRF) CVE-2024-33681 WordPress Regenerate post permalink plugin <= 1.0.3 - Cross Site Request Forgery (CSRF) leading to XSS vulnerability CVE-2025-12410 SH Contextual Help <= 3.2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting CVE-2022-46368 Rumpus - FTP server Cross-site request forgery (CSRF) – Create user CVE-2024-50466 WordPress DarkMySite – Advanced Dark Mode Plugin for WordPress plugin <= 1.2.8 - Cross Site Request Forgery (CSRF) vulnerability