A vulnerability in Red Hat JBoss RichFaces could allow an unauthenticated, remote attacker to inject arbitrary code on a targeted system.
The vulnerability exists because the affected software allows injection of arbitrary Expression Language (EL) expressions. An attacker could exploit this vulnerability by using the org.ajax4jsf.resource.UserResource$UriData object to pass malicious resource data to the targeted system. A successful exploit could allow the attacker to execute arbitrary Java code on the system.
Red Hat has confirmed the vulnerability and released software updates.
Security Impact Rating: Critical