Filtered by vendor Apache
Subscribe
Total
2282 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2015-5210 | 1 Apache | 1 Ambari | 2024-02-28 | 5.8 MEDIUM | N/A |
Open redirect vulnerability in Apache Ambari before 2.1.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the targetURI parameter. | |||||
CVE-2016-3087 | 1 Apache | 1 Struts | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin. | |||||
CVE-2016-4430 | 1 Apache | 1 Struts | 2024-02-28 | 6.8 MEDIUM | 8.8 HIGH |
Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. | |||||
CVE-2016-1546 | 1 Apache | 1 Http Server | 2024-02-28 | 4.3 MEDIUM | 5.9 MEDIUM |
The Apache HTTP Server 2.4.17 and 2.4.18, when mod_http2 is enabled, does not limit the number of simultaneous stream workers for a single HTTP/2 connection, which allows remote attackers to cause a denial of service (stream-processing outage) via modified flow-control windows. | |||||
CVE-2015-3183 | 1 Apache | 1 Http Server | 2024-02-28 | 5.0 MEDIUM | N/A |
The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension characters in modules/http/http_filters.c. | |||||
CVE-2015-6420 | 1 Apache | 1 Commons Collections | 2024-02-28 | 7.5 HIGH | N/A |
Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. | |||||
CVE-2015-8797 | 1 Apache | 1 Solr | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/plugins.js in the stats page in the Admin UI in Apache Solr before 5.3.1 allows remote attackers to inject arbitrary web script or HTML via the entry parameter to a plugins/cache URI. | |||||
CVE-2016-0731 | 1 Apache | 1 Ambari | 2024-02-28 | 4.0 MEDIUM | 4.9 MEDIUM |
The File Browser View in Apache Ambari before 2.2.1 allows remote authenticated administrators to read arbitrary files via a file: URL in the WebHDFS URL configuration. | |||||
CVE-2016-2168 | 1 Apache | 1 Subversion | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
The req_check_access function in the mod_authz_svn module in the httpd server in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via a crafted header in a (1) MOVE or (2) COPY request, involving an authorization check. | |||||
CVE-2015-0265 | 1 Apache | 1 Ranger | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in the Policy Admin Tool in Apache Ranger before 0.5.0 allows remote attackers to inject arbitrary web script or HTML via the HTTP User-Agent header. | |||||
CVE-2016-0709 | 1 Apache | 1 Jetspeed | 2024-02-28 | 9.0 HIGH | 7.2 HIGH |
Directory traversal vulnerability in the Import/Export function in the Portal Site Manager in Apache Jetspeed before 2.3.1 allows remote authenticated administrators to write to arbitrary files, and consequently execute arbitrary code, via a .. (dot dot) in a ZIP archive entry, as demonstrated by "../../webapps/x.jsp." | |||||
CVE-2016-0714 | 3 Apache, Canonical, Debian | 3 Tomcat, Ubuntu Linux, Debian Linux | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. | |||||
CVE-2015-5204 | 1 Apache | 1 Cordova File Transfer | 2024-02-28 | 4.3 MEDIUM | N/A |
CRLF injection vulnerability in the Apache Cordova File Transfer Plugin (cordova-plugin-file-transfer) for Android before 1.3.0 allows remote attackers to inject arbitrary headers via CRLF sequences in the filename of an uploaded file. | |||||
CVE-2016-0707 | 1 Apache | 1 Ambari | 2024-02-28 | 2.1 LOW | 3.3 LOW |
The agent in Apache Ambari before 2.1.2 uses weak permissions for the (1) /var/lib/ambari-agent/data and (2) /var/lib/ambari-agent/keys directories, which allows local users to obtain sensitive information by reading files in the directories. | |||||
CVE-2015-5253 | 1 Apache | 1 Cxf | 2024-02-28 | 4.0 MEDIUM | N/A |
The SAML Web SSO module in Apache CXF before 2.7.18, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote authenticated users to bypass authentication via a crafted SAML response with a valid signed assertion, related to a "wrapping attack." | |||||
CVE-2015-2944 | 1 Apache | 2 Sling Api, Sling Servlets Post | 2024-02-28 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse. | |||||
CVE-2015-3186 | 1 Apache | 1 Ambari | 2024-02-28 | 3.5 LOW | N/A |
Cross-site scripting (XSS) vulnerability in Apache Ambari before 2.1.0 allows remote authenticated cluster operator users to inject arbitrary web script or HTML via the note field in a configuration change. | |||||
CVE-2015-3270 | 1 Apache | 1 Ambari | 2024-02-28 | 6.5 MEDIUM | N/A |
Apache Ambari before 2.0.2 or 2.1.x before 2.1.1 allows remote authenticated users to gain administrative privileges via unspecified vectors, possibly related to changing passwords. | |||||
CVE-2016-3089 | 1 Apache | 1 Openmeetings | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in the SWF panel in Apache OpenMeetings before 3.1.2 allows remote attackers to inject arbitrary web script or HTML via the swf parameter. | |||||
CVE-2016-1181 | 2 Apache, Oracle | 3 Struts, Banking Platform, Portal | 2024-02-28 | 6.8 MEDIUM | 8.1 HIGH |
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899. |