Filtered by vendor Apache
Subscribe
Total
2238 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2010-1244 | 1 Apache | 1 Activemq | 2017-08-17 | 6.8 MEDIUM | N/A |
Cross-site request forgery (CSRF) vulnerability in createDestination.action in Apache ActiveMQ before 5.3.1 allows remote attackers to hijack the authentication of unspecified victims for requests that create queues via the JMSDestination parameter in a queue action. | |||||
CVE-2009-1885 | 1 Apache | 1 Xerces-c\+\+ | 2017-08-17 | 4.3 MEDIUM | N/A |
Stack consumption vulnerability in validators/DTD/DTDScanner.cpp in Apache Xerces C++ 2.7.0 and 2.8.0 allows context-dependent attackers to cause a denial of service (application crash) via vectors involving nested parentheses and invalid byte values in "simply nested DTD structures," as demonstrated by the Codenomicon XML fuzzing framework. | |||||
CVE-2008-6504 | 2 Apache, Opensymphony | 2 Struts, Xwork | 2017-08-17 | 5.0 MEDIUM | N/A |
ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character. | |||||
CVE-2007-6726 | 2 Apache, Dojotoolkit | 2 Struts, Dojo | 2017-08-17 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in Dojo 0.4.1 and 0.4.2, as used in Apache Struts and other products, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving (1) xip_client.html and (2) xip_server.html in src/io/. | |||||
CVE-2010-2245 | 1 Apache | 1 Wink | 2017-08-16 | 5.8 MEDIUM | 7.4 HIGH |
XML External Entity (XXE) vulnerability in Apache Wink 1.1.1 and earlier allows remote attackers to read arbitrary files or cause a denial of service via a crafted XML document. | |||||
CVE-2016-4465 | 1 Apache | 1 Struts | 2017-08-09 | 5.0 MEDIUM | 5.3 MEDIUM |
The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field. | |||||
CVE-2016-4436 | 1 Apache | 1 Struts | 2017-08-09 | 7.5 HIGH | 9.8 CRITICAL |
Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up. | |||||
CVE-2016-4433 | 1 Apache | 1 Struts | 2017-08-09 | 5.0 MEDIUM | 7.5 HIGH |
Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request. | |||||
CVE-2016-4431 | 1 Apache | 1 Struts | 2017-08-09 | 5.0 MEDIUM | 7.5 HIGH |
Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method. | |||||
CVE-2008-4482 | 1 Apache | 1 Xerces-c\+\+ | 2017-08-08 | 7.8 HIGH | N/A |
The XML parser in Xerces-C++ before 3.0.0 allows context-dependent attackers to cause a denial of service (stack consumption and crash) via an XML schema definition with a large maxOccurs value, which triggers excessive memory consumption during validation of an XML file. | |||||
CVE-2010-1632 | 2 Apache, Ibm | 6 Axis2, Geronimo, Orchestration Director Engine and 3 more | 2017-07-30 | 7.5 HIGH | N/A |
Apache Axis2 before 1.5.2, as used in IBM WebSphere Application Server (WAS) 7.0 through 7.0.0.12, IBM Feature Pack for Web Services 6.1.0.9 through 6.1.0.32, IBM Feature Pack for Web 2.0 1.0.1.0, Apache Synapse, Apache ODE, Apache Tuscany, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to the Synapse SimpleStockQuoteService. | |||||
CVE-2007-3101 | 1 Apache | 1 Myfaces Tomahawk | 2017-07-29 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in certain JSF applications in Apache MyFaces Tomahawk before 1.1.6 allow remote attackers to inject arbitrary web script via the autoscroll parameter, which is injected into Javascript that is sent to the client. | |||||
CVE-2007-2353 | 1 Apache | 1 Axis | 2017-07-29 | 5.0 MEDIUM | N/A |
Apache Axis 1.0 allows remote attackers to obtain sensitive information by requesting a non-existent WSDL file, which reveals the installation path in the resulting exception message. | |||||
CVE-2007-1741 | 1 Apache | 1 Http Server | 2017-07-29 | 6.2 MEDIUM | N/A |
Multiple race conditions in suexec in Apache HTTP Server (httpd) 2.2.3 between directory and file validation, and their usage, allow local users to gain privileges and execute arbitrary code by renaming directories or performing symlink attacks. NOTE: the researcher, who is reliable, claims that the vendor disputes the issue because "the attacks described rely on an insecure server configuration" in which the user "has write access to the document root." | |||||
CVE-2002-2272 | 1 Apache | 2 Http Server, Tomcat | 2017-07-29 | 7.8 HIGH | N/A |
Tomcat 4.0 through 4.1.12, using mod_jk 1.2.1 module on Apache 1.3 through 1.3.27, allows remote attackers to cause a denial of service (desynchronized communications) via an HTTP GET request with a Transfer-Encoding chunked field with invalid values. | |||||
CVE-2015-8796 | 1 Apache | 1 Solr | 2017-07-28 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/schema-browser.js in the Admin UI in Apache Solr before 5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted schema-browse URL. | |||||
CVE-2017-7678 | 1 Apache | 1 Spark | 2017-07-26 | 4.3 MEDIUM | 6.1 MEDIUM |
In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark itself, but on the user, who may then execute the script inadvertently when viewing elements of the Spark web UIs. | |||||
CVE-2006-4154 | 1 Apache | 1 Http Server | 2017-07-20 | 6.8 MEDIUM | N/A |
Format string vulnerability in the mod_tcl module 1.0 for Apache 2.x allows context-dependent attackers to execute arbitrary code via format string specifiers that are not properly handled in a set_var function call in (1) tcl_cmds.c and (2) tcl_core.c. | |||||
CVE-2006-1548 | 1 Apache | 1 Struts | 2017-07-20 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in (1) LookupDispatchAction and possibly (2) DispatchAction and (3) ActionDispatcher in Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to inject arbitrary web script or HTML via the parameter name, which is not filtered in the resulting error message. | |||||
CVE-2006-1095 | 1 Apache | 1 Mod Python | 2017-07-20 | 7.2 HIGH | N/A |
Directory traversal vulnerability in the FileSession object in Mod_python module 3.2.7 for Apache allows local users to execute arbitrary code via a crafted session cookie. |