Filtered by vendor Apache
Subscribe
Total
526 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2016-6805 | 1 Apache | 1 Ignite | 2023-12-10 | 4.3 MEDIUM | 5.9 MEDIUM |
Apache Ignite before 1.9 allows man-in-the-middle attackers to read arbitrary files via XXE in modified update-notifier documents. | |||||
CVE-2015-3271 | 1 Apache | 1 Tika | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
Apache Tika server (aka tika-server) in Apache Tika 1.9 might allow remote attackers to read arbitrary files via the HTTP fileUrl header. | |||||
CVE-2017-5655 | 1 Apache | 1 Ambari | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
In Ambari 2.2.2 through 2.4.2 and Ambari 2.5.0, sensitive data may be stored on disk in temporary files on the Ambari Server host. The temporary files are readable by any user authenticated on the host. | |||||
CVE-2017-5644 | 1 Apache | 1 Poi | 2023-12-10 | 7.1 HIGH | 5.5 MEDIUM |
Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack. | |||||
CVE-2017-5653 | 1 Apache | 1 Cxf | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers. | |||||
CVE-2015-5241 | 1 Apache | 1 Juddi | 2023-12-10 | 5.8 MEDIUM | 6.1 MEDIUM |
After logging into the portal, the logout jsp page redirects the browser back to the login page after. It is feasible for malicious users to redirect the browser to an unintended web page in Apache jUDDI 3.1.2, 3.1.3, 3.1.4, and 3.1.5 when utilizing the portlets based user interface also known as 'Pluto', 'jUDDI Portal', 'UDDI Portal' or 'uddi-console'. User session data, credentials, and auth tokens are cleared before the redirect. | |||||
CVE-2017-3161 | 1 Apache | 1 Hadoop | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
The HDFS web UI in Apache Hadoop before 2.7.0 is vulnerable to a cross-site scripting (XSS) attack through an unescaped query parameter. | |||||
CVE-2015-5174 | 3 Apache, Canonical, Debian | 3 Tomcat, Ubuntu Linux, Debian Linux | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. | |||||
CVE-2016-0784 | 1 Apache | 1 Openmeetings | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
Directory traversal vulnerability in the Import/Export System Backups functionality in Apache OpenMeetings before 3.1.1 allows remote authenticated administrators to write to arbitrary files via a .. (dot dot) in a ZIP archive entry. | |||||
CVE-2016-2168 | 1 Apache | 1 Subversion | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
The req_check_access function in the mod_authz_svn module in the httpd server in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via a crafted header in a (1) MOVE or (2) COPY request, involving an authorization check. | |||||
CVE-2015-3251 | 1 Apache | 1 Cloudstack | 2023-12-10 | 4.0 MEDIUM | 4.9 MEDIUM |
Apache CloudStack before 4.5.2 might allow remote authenticated administrators to obtain sensitive password information for root accounts of virtual machines via unspecified vectors related to API calls. | |||||
CVE-2016-5000 | 1 Apache | 1 Poi | 2023-12-10 | 4.3 MEDIUM | 5.5 MEDIUM |
The XLSX2CSV example in Apache POI before 3.14 allows remote attackers to read arbitrary files via a crafted OpenXML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | |||||
CVE-2015-8796 | 1 Apache | 1 Solr | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/schema-browser.js in the Admin UI in Apache Solr before 5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted schema-browse URL. | |||||
CVE-2016-4465 | 1 Apache | 1 Struts | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field. | |||||
CVE-2016-0706 | 3 Apache, Canonical, Debian | 3 Tomcat, Ubuntu Linux, Debian Linux | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. | |||||
CVE-2016-5395 | 1 Apache | 1 Ranger | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
Cross-site scripting (XSS) vulnerability in the create user functionality in the policy admin tool in Apache Ranger before 0.6.1 allows remote authenticated administrators to inject arbitrary web script or HTML via vectors related to policies. | |||||
CVE-2016-3085 | 1 Apache | 1 Cloudstack | 2023-12-10 | 5.8 MEDIUM | 6.5 MEDIUM |
Apache CloudStack 4.5.x before 4.5.2.1, 4.6.x before 4.6.2.1, 4.7.x before 4.7.1.1, and 4.8.x before 4.8.0.1, when SAML-based authentication is enabled and used, allow remote attackers to bypass authentication and access the user interface via vectors related to the SAML plugin. | |||||
CVE-2016-0734 | 1 Apache | 1 Activemq | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
The web-based administration console in Apache ActiveMQ 5.x before 5.13.2 does not send an X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web page that contains a (1) FRAME or (2) IFRAME element. | |||||
CVE-2016-2162 | 1 Apache | 1 Struts | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display. | |||||
CVE-2015-8797 | 1 Apache | 1 Solr | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/plugins.js in the stats page in the Admin UI in Apache Solr before 5.3.1 allows remote attackers to inject arbitrary web script or HTML via the entry parameter to a plugins/cache URI. |