Filtered by vendor Apache
Subscribe
Total
2281 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2013-2155 | 1 Apache | 1 Xml Security For C\+\+ | 2024-02-28 | 5.8 MEDIUM | N/A |
Apache Santuario XML Security for C++ (aka xml-security-c) before 1.7.1 does not properly validate length values, which allows remote attackers to cause a denial of service or bypass the CVE-2009-0217 protection mechanism and spoof a signature via crafted length values to the (1) compareBase64StringToRaw, (2) DSIGAlgorithmHandlerDefault, or (3) DSIGAlgorithmHandlerDefault::verify functions. | |||||
CVE-2012-4001 | 2 Apache, Google | 2 Http Server, Mod Pagespeed | 2024-02-28 | 5.0 MEDIUM | N/A |
The mod_pagespeed module before 0.10.22.6 for the Apache HTTP Server does not properly verify its host name, which allows remote attackers to trigger HTTP requests to arbitrary hosts via unspecified vectors, as demonstrated by requests to intranet servers. | |||||
CVE-2012-5616 | 2 Apache, Citrix | 2 Cloudstack, Cloudplatform | 2024-02-28 | 1.5 LOW | N/A |
Apache CloudStack 4.0.0-incubating and Citrix CloudPlatform (formerly Citrix CloudStack) before 3.0.6 stores sensitive information in the log4j.conf log file, which allows local users to obtain (1) the SSH private key as recorded by the createSSHKeyPair API, (2) the password of an added host as recorded by the AddHost API, or the password of an added VM as recorded by the (3) DeployVM or (4) ResetPasswordForVM API. | |||||
CVE-2013-2115 | 1 Apache | 1 Struts | 2024-02-28 | 9.3 HIGH | 8.1 HIGH |
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966. | |||||
CVE-2013-1862 | 5 Apache, Canonical, Opensuse and 2 more | 11 Http Server, Ubuntu Linux, Opensuse and 8 more | 2024-02-28 | 5.1 MEDIUM | N/A |
mod_rewrite.c in the mod_rewrite module in the Apache HTTP Server 2.2.x before 2.2.25 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to execute arbitrary commands via an HTTP request containing an escape sequence for a terminal emulator. | |||||
CVE-2012-4387 | 1 Apache | 1 Struts | 2024-02-28 | 5.0 MEDIUM | N/A |
Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression. | |||||
CVE-2012-3373 | 1 Apache | 1 Wicket | 2024-02-28 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.21 and 1.5.x before 1.5.8 allows remote attackers to inject arbitrary web script or HTML via vectors involving a %00 sequence in an Ajax link URL associated with a Wicket app. | |||||
CVE-2012-4557 | 1 Apache | 1 Http Server | 2024-02-28 | 5.0 MEDIUM | N/A |
The mod_proxy_ajp module in the Apache HTTP Server 2.2.12 through 2.2.21 places a worker node into an error state upon detection of a long request-processing time, which allows remote attackers to cause a denial of service (worker consumption) via an expensive request. | |||||
CVE-2012-3446 | 1 Apache | 1 Libcloud | 2024-02-28 | 5.8 MEDIUM | 5.9 MEDIUM |
Apache Libcloud before 0.11.1 uses an incorrect regular expression during verification of whether the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate. | |||||
CVE-2012-3502 | 1 Apache | 1 Http Server | 2024-02-28 | 4.3 MEDIUM | N/A |
The proxy functionality in (1) mod_proxy_ajp.c in the mod_proxy_ajp module and (2) mod_proxy_http.c in the mod_proxy_http module in the Apache HTTP Server 2.4.x before 2.4.3 does not properly determine the situations that require closing a back-end connection, which allows remote attackers to obtain sensitive information in opportunistic circumstances by reading a response that was intended for a different client. | |||||
CVE-2012-0047 | 1 Apache | 1 Wicket | 2024-02-28 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the wicket:pageMapName parameter. | |||||
CVE-2013-4365 | 4 Apache, Debian, Opensuse and 1 more | 6 Http Server, Mod Fcgid, Debian Linux and 3 more | 2024-02-28 | 7.5 HIGH | N/A |
Heap-based buffer overflow in the fcgid_header_bucket_read function in fcgid_bucket.c in the mod_fcgid module before 2.3.9 for the Apache HTTP Server allows remote attackers to have an unspecified impact via unknown vectors. | |||||
CVE-2012-2733 | 1 Apache | 1 Tomcat | 2024-02-28 | 5.0 MEDIUM | N/A |
java/org/apache/coyote/http11/InternalNioInputBuffer.java in the HTTP NIO connector in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28 does not properly restrict the request-header size, which allows remote attackers to cause a denial of service (memory consumption) via a large amount of header data. | |||||
CVE-2012-3526 | 2 Apache, Thomas Eibner | 2 Http Server, Mod Rpaf | 2024-02-28 | 5.0 MEDIUM | N/A |
The reverse proxy add forward module (mod_rpaf) 0.5 and 0.6 for the Apache HTTP Server allows remote attackers to cause a denial of service (server or application crash) via multiple X-Forwarded-For headers in a request. | |||||
CVE-2013-1909 | 2 Apache, Redhat | 2 Qpid, Enterprise Mrg | 2024-02-28 | 5.8 MEDIUM | N/A |
The Python client in Apache Qpid before 2.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | |||||
CVE-2012-3546 | 1 Apache | 1 Tomcat | 2024-02-28 | 4.3 MEDIUM | N/A |
org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when FORM authentication is used, allows remote attackers to bypass security-constraint checks by leveraging a previous setUserPrincipal call and then placing /j_security_check at the end of a URI. | |||||
CVE-2013-2135 | 1 Apache | 1 Struts | 2024-02-28 | 9.3 HIGH | N/A |
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice. | |||||
CVE-2013-2248 | 1 Apache | 1 Struts | 2024-02-28 | 5.8 MEDIUM | N/A |
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the (1) redirect: or (2) redirectAction: prefix. | |||||
CVE-2013-4156 | 1 Apache | 1 Openoffice | 2024-02-28 | 6.8 MEDIUM | N/A |
Apache OpenOffice.org (OOo) before 4.0 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted element in an OOXML document file. | |||||
CVE-2013-4316 | 2 Apache, Oracle | 4 Struts, Flexcube Private Banking, Mysql Enterprise Monitor and 1 more | 2024-02-28 | 10.0 HIGH | N/A |
Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors. |