Filtered by vendor Apache
Subscribe
Total
2282 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2016-5019 | 1 Apache | 1 Myfaces Trinidad | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
CoreResponseStateManager in Apache MyFaces Trinidad 1.0.0 through 1.0.13, 1.2.x before 1.2.15, 2.0.x before 2.0.2, and 2.1.x before 2.1.2 might allow attackers to conduct deserialization attacks via a crafted serialized view state string. | |||||
CVE-2016-2167 | 1 Apache | 1 Subversion | 2024-02-28 | 4.9 MEDIUM | 6.8 MEDIUM |
The canonicalize_username function in svnserve/cyrus_auth.c in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4, when Cyrus SASL authentication is used, allows remote attackers to authenticate and bypass intended access restrictions via a realm string that is a prefix of an expected repository realm string. | |||||
CVE-2016-2162 | 1 Apache | 1 Struts | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display. | |||||
CVE-2016-4432 | 1 Apache | 1 Qpid Broker-j | 2024-02-28 | 5.0 MEDIUM | 9.1 CRITICAL |
The AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid Java before 6.0.3 might allow remote attackers to bypass authentication and consequently perform actions via vectors related to connection state logging. | |||||
CVE-2016-0782 | 1 Apache | 1 Activemq | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
The administration web console in Apache ActiveMQ 5.x before 5.11.4, 5.12.x before 5.12.3, and 5.13.x before 5.13.2 allows remote authenticated users to conduct cross-site scripting (XSS) attacks and consequently obtain sensitive information from a Java memory dump via vectors related to creating a queue. | |||||
CVE-2015-0253 | 3 Apache, Apple, Oracle | 5 Http Server, Mac Os X, Mac Os X Server and 2 more | 2024-02-28 | 5.0 MEDIUM | N/A |
The read_request_line function in server/protocol.c in the Apache HTTP Server 2.4.12 does not initialize the protocol structure member, which allows remote attackers to cause a denial of service (NULL pointer dereference and process crash) by sending a request that lacks a method to an installation that enables the INCLUDES filter and has an ErrorDocument 400 directive specifying a local URI. | |||||
CVE-2016-0710 | 1 Apache | 1 Jetspeed | 2024-02-28 | 7.5 HIGH | 8.8 HIGH |
Multiple SQL injection vulnerabilities in the User Manager service in Apache Jetspeed before 2.3.1 allow remote attackers to execute arbitrary SQL commands via the (1) role or (2) user parameter to services/usermanager/users/. | |||||
CVE-2016-2171 | 1 Apache | 1 Jetspeed | 2024-02-28 | 6.4 MEDIUM | 7.5 HIGH |
The User Manager service in Apache Jetspeed before 2.3.1 does not properly restrict access using Jetspeed Security, which allows remote attackers to (1) add, (2) edit, or (3) delete users via the REST API. | |||||
CVE-2015-3268 | 1 Apache | 1 Ofbiz | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in the DisplayEntityField.getDescription method in ModelFormField.java in Apache OFBiz before 12.04.06 and 13.07.x before 13.07.03 allows remote attackers to inject arbitrary web script or HTML via the description attribute of a display-entity element. | |||||
CVE-2015-7520 | 1 Apache | 1 Wicket | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in the (1) RadioGroup and (2) CheckBoxMultipleChoice classes in Apache Wicket 1.5.x before 1.5.15, 6.x before 6.22.0, and 7.x before 7.2.0 allow remote attackers to inject arbitrary web script or HTML via a crafted "value" attribute in a <input> element. | |||||
CVE-2016-3093 | 2 Apache, Ognl Project | 2 Struts, Ognl | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors. | |||||
CVE-2016-3092 | 4 Apache, Canonical, Debian and 1 more | 6 Commons Fileupload, Tomcat, Ubuntu Linux and 3 more | 2024-02-28 | 7.8 HIGH | 7.5 HIGH |
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string. | |||||
CVE-2016-1182 | 1 Apache | 1 Struts | 2024-02-28 | 6.4 MEDIUM | 8.2 HIGH |
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899. | |||||
CVE-2016-0711 | 1 Apache | 1 Jetspeed | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in Apache Jetspeed before 2.3.1 allow remote attackers to inject arbitrary web script or HTML via the title parameter when adding a (1) link, (2) page, or (3) folder resource. | |||||
CVE-2015-5208 | 1 Apache | 1 Cordova | 2024-02-28 | 4.3 MEDIUM | 4.4 MEDIUM |
Apache Cordova iOS before 4.0.0 allows remote attackers to execute arbitrary plugins via a link. | |||||
CVE-2015-5214 | 4 Apache, Canonical, Debian and 1 more | 4 Openoffice, Ubuntu Linux, Debian Linux and 1 more | 2024-02-28 | 6.8 MEDIUM | N/A |
LibreOffice before 4.4.6 and 5.x before 5.0.1 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denial of service (memory corruption and application crash) or execute arbitrary code via an index to a non-existent bookmark in a DOC file. | |||||
CVE-2014-1972 | 1 Apache | 1 Tapestry | 2024-02-28 | 7.8 HIGH | N/A |
Apache Tapestry before 5.3.6 relies on client-side object storage without checking whether a client has modified an object, which allows remote attackers to cause a denial of service (resource consumption) or execute arbitrary code via crafted serialized data. | |||||
CVE-2016-0735 | 1 Apache | 1 Ranger | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
Apache Ranger 0.5.x before 0.5.2 allows remote authenticated users to bypass intended parent resource-level access restrictions by leveraging mishandling of a resource-level exclude policy. | |||||
CVE-2015-8320 | 1 Apache | 1 Cordova | 2024-02-28 | 5.0 MEDIUM | N/A |
Apache Cordova-Android before 3.7.0 improperly generates random values for BridgeSecret data, which makes it easier for attackers to conduct bridge hijacking attacks by predicting a value. | |||||
CVE-2016-2166 | 2 Apache, Fedoraproject | 2 Qpid Proton, Fedora | 2024-02-28 | 5.8 MEDIUM | 6.5 MEDIUM |
The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors. |