Filtered by vendor Apache
Subscribe
Total
2281 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2012-3499 | 1 Apache | 1 Http Server | 2024-02-28 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving hostnames and URIs in the (1) mod_imagemap, (2) mod_info, (3) mod_ldap, (4) mod_proxy_ftp, and (5) mod_status modules. | |||||
CVE-2012-4460 | 1 Apache | 1 Qpid | 2024-02-28 | 5.0 MEDIUM | N/A |
The serializing/deserializing functions in the qpid::framing::Buffer class in Apache Qpid 0.20 and earlier allow remote attackers to cause a denial of service (assertion failure and daemon exit) via unspecified vectors. NOTE: this issue could also trigger an out-of-bounds read, but it might not trigger a crash. | |||||
CVE-2012-2138 | 1 Apache | 2 Org.apache.sling.servlets.post, Sling | 2024-02-28 | 5.0 MEDIUM | N/A |
The @CopyFrom operation in the POST servlet in the org.apache.sling.servlets.post bundle before 2.1.2 in Apache Sling does not prevent attempts to copy an ancestor node to a descendant node, which allows remote attackers to cause a denial of service (infinite loop) via a crafted HTTP request. | |||||
CVE-2012-4446 | 1 Apache | 1 Qpid | 2024-02-28 | 6.8 MEDIUM | N/A |
The default configuration for Apache Qpid 0.20 and earlier, when the federation_tag attribute is enabled, accepts AMQP connections without checking the source user ID, which allows remote attackers to bypass authentication and have other unspecified impact via an AMQP request. | |||||
CVE-2013-6348 | 1 Apache | 1 Struts | 2024-02-28 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.3.15.3 allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to (1) actionNames.action and (2) showConfig.action in config-browser/. | |||||
CVE-2013-4310 | 1 Apache | 1 Struts | 2024-02-28 | 5.8 MEDIUM | N/A |
Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix. | |||||
CVE-2013-1846 | 2 Apache, Opensuse | 2 Subversion, Opensuse | 2024-02-28 | 4.0 MEDIUM | N/A |
The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before 1.6.21 and 1.7.0 through 1.7.8 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via a LOCK on an activity URL. | |||||
CVE-2012-6551 | 1 Apache | 1 Activemq | 2024-02-28 | 5.0 MEDIUM | N/A |
The default configuration of Apache ActiveMQ before 5.8.0 enables a sample web application, which allows remote attackers to cause a denial of service (broker resource consumption) via HTTP requests. | |||||
CVE-2012-2149 | 3 Apache, Libwpd, Redhat | 4 Openoffice.org, Libwpd, Enterprise Linux Optional Productivity Applications and 1 more | 2024-02-28 | 7.5 HIGH | N/A |
The WPXContentListener::_closeTableRow function in WPXContentListener.cpp in libwpd 0.8.8, as used by OpenOffice.org (OOo) before 3.4, allows remote attackers to execute arbitrary code via a crafted Wordperfect .WPD document that causes a negative array index to be used. NOTE: some sources report this issue as an integer overflow. | |||||
CVE-2012-5785 | 1 Apache | 1 Axis2 | 2024-02-28 | 5.8 MEDIUM | N/A |
Apache Axis2/Java 1.6.2 and earlier does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | |||||
CVE-2013-0253 | 1 Apache | 2 Maven, Maven Wagon | 2024-02-28 | 5.8 MEDIUM | N/A |
The default configuration of Apache Maven 3.0.4, when using Maven Wagon 2.1, disables SSL certificate checks, which allows remote attackers to spoof servers via a man-in-the-middle (MITM) attack. | |||||
CVE-2012-1574 | 2 Apache, Cloudera | 3 Hadoop, Cloudera Cdh, Hadoop | 2024-02-28 | 6.5 MEDIUM | N/A |
The Kerberos/MapReduce security functionality in Apache Hadoop 0.20.203.0 through 0.20.205.0, 0.23.x before 0.23.2, and 1.0.x before 1.0.2, as used in Cloudera CDH CDH3u0 through CDH3u2, Cloudera hadoop-0.20-sbin before 0.20.2+923.197, and other products, allows remote authenticated users to impersonate arbitrary cluster user accounts via unspecified vectors. | |||||
CVE-2013-2249 | 1 Apache | 1 Http Server | 2024-02-28 | 7.5 HIGH | N/A |
mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for a session without considering the dirty flag and the requirement for a new session ID, which has unspecified impact and remote attack vectors. | |||||
CVE-2013-1814 | 1 Apache | 1 Rave | 2024-02-28 | 4.0 MEDIUM | N/A |
The users/get program in the User RPC API in Apache Rave 0.11 through 0.20 allows remote authenticated users to obtain sensitive information about all user accounts via the offset parameter, as demonstrated by discovering password hashes in the password field of a response. | |||||
CVE-2011-3620 | 1 Apache | 1 Qpid | 2024-02-28 | 7.5 HIGH | N/A |
Apache Qpid 0.12 does not properly verify credentials during the joining of a cluster, which allows remote attackers to obtain access to the messaging functionality and job functionality of a cluster by leveraging knowledge of a cluster-username. | |||||
CVE-2013-1884 | 1 Apache | 1 Subversion | 2024-02-28 | 5.0 MEDIUM | N/A |
The mod_dav_svn Apache HTTPD server module in Subversion 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service (segmentation fault and crash) via a log REPORT request with an invalid limit, which triggers an access of an uninitialized variable. | |||||
CVE-2012-4431 | 1 Apache | 1 Tomcat | 2024-02-28 | 4.3 MEDIUM | N/A |
org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism via a request that lacks a session identifier. | |||||
CVE-2012-4501 | 2 Apache, Citrix | 2 Cloudstack, Cloudstack | 2024-02-28 | 10.0 HIGH | N/A |
Citrix Cloud.com CloudStack, and Apache CloudStack pre-release, allows remote attackers to make arbitrary API calls by leveraging the system user account, as demonstrated by API calls to delete VMs. | |||||
CVE-2012-0883 | 2 Apache, Opensuse | 2 Http Server, Opensuse | 2024-02-28 | 6.9 MEDIUM | N/A |
envvars (aka envvars-std) in the Apache HTTP Server before 2.4.2 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse DSO in the current working directory during execution of apachectl. | |||||
CVE-2013-2254 | 1 Apache | 2 Org.apache.sling.servlets.post, Sling | 2024-02-28 | 5.0 MEDIUM | N/A |
The deepGetOrCreateNode function in impl/operations/AbstractCreateOperation.java in org.apache.sling.servlets.post.bundle 2.2.0 and 2.3.0 in Apache Sling does not properly handle a NULL value that returned when the session does not have permissions to the root node, which allows remote attackers to cause a denial of service (infinite loop) via unspecified vectors. |