Vulnerabilities (CVE)

Filtered by vendor Apache Subscribe
Total 2223 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2014-8152 1 Apache 1 Santuario Xml Security For Java 2023-12-10 5.0 MEDIUM N/A
Apache Santuario XML Security for Java 2.0.x before 2.0.3 allows remote attackers to bypass the streaming XML signature protection mechanism via a crafted XML document.
CVE-2014-0113 1 Apache 1 Struts 2023-12-10 7.5 HIGH N/A
CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
CVE-2015-2091 1 Apache 1 Mod-gnutls 2023-12-10 5.0 MEDIUM N/A
The authentication hook (mgs_hook_authz) in mod-gnutls 0.5.10 and earlier does not validate client certificates when "GnuTLSClientVerify require" is set, which allows remote attackers to spoof clients via a crafted certificate.
CVE-2015-0252 3 Apache, Debian, Fedoraproject 3 Xerces-c\+\+, Debian Linux, Fedora 2023-12-10 5.0 MEDIUM N/A
internal/XMLReader.cpp in Apache Xerces-C before 3.1.2 allows remote attackers to cause a denial of service (segmentation fault and crash) via crafted XML data.
CVE-2014-1882 2 Adobe, Apache 2 Phonegap, Cordova 2023-12-10 7.5 HIGH N/A
Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier allow remote attackers to bypass intended device-resource restrictions of an event-based bridge via a crafted library clone that leverages IFRAME script execution and directly accesses bridge JavaScript objects, as demonstrated by certain cordova.require calls.
CVE-2014-0227 1 Apache 1 Tomcat 2023-12-10 6.4 MEDIUM N/A
java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data after an error has occurred, which allows remote attackers to conduct HTTP request smuggling attacks or cause a denial of service (resource consumption) by streaming data with malformed chunked transfer coding.
CVE-2012-5649 1 Apache 1 Couchdb 2023-12-10 6.8 MEDIUM N/A
Apache CouchDB before 1.0.4, 1.1.x before 1.1.2, and 1.2.x before 1.2.1 allows remote attackers to execute arbitrary code via a JSONP callback, related to Adobe Flash.
CVE-2014-3580 4 Apache, Apple, Debian and 1 more 8 Subversion, Xcode, Debian Linux and 5 more 2023-12-10 5.0 MEDIUM N/A
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.
CVE-2014-3502 1 Apache 1 Cordova 2023-12-10 4.3 MEDIUM N/A
Apache Cordova Android before 3.5.1 allows remote attackers to open and send data to arbitrary applications via a URL with a crafted URI scheme for an Android intent.
CVE-2013-2193 1 Apache 1 Hbase 2023-12-10 4.3 MEDIUM N/A
Apache HBase 0.92.x before 0.92.3 and 0.94.x before 0.94.9, when the Kerberos features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information via unspecified vectors.
CVE-2014-9527 2 Apache, Fedoraproject 2 Poi, Fedora 2023-12-10 5.0 MEDIUM N/A
HSLFSlideShow in Apache POI before 3.11 allows remote attackers to cause a denial of service (infinite loop and deadlock) via a crafted PPT file.
CVE-2014-0033 1 Apache 1 Tomcat 2023-12-10 4.3 MEDIUM N/A
org/apache/catalina/connector/CoyoteAdapter.java in Apache Tomcat 6.0.33 through 6.0.37 does not consider the disableURLRewriting setting when handling a session ID in a URL, which allows remote attackers to conduct session fixation attacks via a crafted URL.
CVE-2015-1774 6 Apache, Canonical, Debian and 3 more 8 Openoffice, Ubuntu Linux, Debian Linux and 5 more 2023-12-10 6.8 MEDIUM N/A
The HWP filter in LibreOffice before 4.3.7 and 4.4.x before 4.4.2 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted HWP document, which triggers an out-of-bounds write.
CVE-2014-3584 1 Apache 1 Cxf 2023-12-10 5.0 MEDIUM N/A
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.
CVE-2013-2758 2 Apache, Citrix 2 Cloudstack, Cloudplatform 2023-12-10 5.0 MEDIUM N/A
Apache CloudStack 4.0.0 before 4.0.2 and Citrix CloudPlatform (formerly Citrix CloudStack) 3.0.x before 3.0.6 Patch C uses a hash of a predictable sequence, which makes it easier for remote attackers to guess the console access URL via a brute force attack.
CVE-2014-0109 1 Apache 1 Cxf 2023-12-10 4.3 MEDIUM N/A
Apache CXF before 2.6.14 and 2.7.x before 2.7.11 allows remote attackers to cause a denial of service (memory consumption) via a large request with the Content-Type set to text/html to a SOAP endpoint, which triggers an error.
CVE-2014-3574 1 Apache 1 Poi 2023-12-10 4.3 MEDIUM N/A
Apache POI before 3.10.1 and 3.11.x before 3.11-beta2 allows remote attackers to cause a denial of service (CPU consumption and crash) via a crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
CVE-2013-4590 3 Apache, Debian, Oracle 3 Tomcat, Debian Linux, Solaris 2023-12-10 4.3 MEDIUM N/A
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
CVE-2012-6153 1 Apache 1 Commons-httpclient 2023-12-10 4.3 MEDIUM N/A
http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.
CVE-2014-3629 1 Apache 1 Qpid 2023-12-10 4.3 MEDIUM N/A
XML external entity (XXE) vulnerability in the XML Exchange module in Apache Qpid 0.30 allows remote attackers to cause outgoing HTTP connections via a crafted message.