Vulnerabilities (CVE)

Filtered by vendor Apache Subscribe
Total 2238 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2015-3186 1 Apache 1 Ambari 2015-11-04 3.5 LOW N/A
Cross-site scripting (XSS) vulnerability in Apache Ambari before 2.1.0 allows remote authenticated cluster operator users to inject arbitrary web script or HTML via the note field in a configuration change.
CVE-2015-1775 1 Apache 1 Ambari 2015-11-04 5.5 MEDIUM N/A
Server-side request forgery (SSRF) vulnerability in the proxy endpoint (api/v1/proxy) in Apache Ambari before 2.1.0 allows remote authenticated users to conduct port scans and access unsecured services via a crafted REST call.
CVE-2015-1773 1 Apache 1 Flex 2015-10-05 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in asdoc/templates/index.html in Apache Flex before 4.14.1 allows remote attackers to inject arbitrary web script or HTML by providing a crafted URI to JavaScript code generated by the asdoc component.
CVE-2014-9593 1 Apache 1 Cloudstack 2015-01-16 5.0 MEDIUM N/A
Apache CloudStack before 4.3.2 and 4.4.x before 4.4.2 allows remote attackers to obtain private keys via a listSslCerts API call.
CVE-2014-10022 1 Apache 1 Traffic Server 2015-01-14 5.0 MEDIUM N/A
Apache Traffic Server before 5.1.2 allows remote attackers to cause a denial of service via unspecified vectors, related to internal buffer sizing.
CVE-2014-3502 1 Apache 1 Cordova 2014-11-17 4.3 MEDIUM N/A
Apache Cordova Android before 3.5.1 allows remote attackers to open and send data to arbitrary applications via a URL with a crafted URI scheme for an Android intent.
CVE-2014-3501 1 Apache 1 Cordova 2014-11-17 4.3 MEDIUM N/A
Apache Cordova Android before 3.5.1 allows remote attackers to bypass the HTTP whitelist and connect to arbitrary servers by using JavaScript to open WebSocket connections through WebView.
CVE-2014-3500 1 Apache 1 Cordova 2014-11-17 6.4 MEDIUM N/A
Apache Cordova Android before 3.5.1 allows remote attackers to change the start page via a crafted intent URL.
CVE-2014-0074 1 Apache 1 Shiro 2014-10-07 7.5 HIGH N/A
Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.
CVE-2013-6398 1 Apache 1 Cloudstack 2014-09-04 2.8 LOW N/A
The virtual router in Apache CloudStack before 4.2.1 does not preserve the source restrictions in firewall rules after being restarted, which allows remote attackers to bypass intended restrictions via a request.
CVE-2013-6407 1 Apache 1 Solr 2014-07-17 6.4 MEDIUM N/A
The UpdateRequestHandler for XML in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
CVE-2012-5649 1 Apache 1 Couchdb 2014-05-30 6.8 MEDIUM N/A
Apache CouchDB before 1.0.4, 1.1.x before 1.1.2, and 1.2.x before 1.2.1 allows remote attackers to execute arbitrary code via a JSONP callback, related to Adobe Flash.
CVE-2013-4310 1 Apache 1 Struts 2014-05-05 5.8 MEDIUM N/A
Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix.
CVE-2013-7372 2 Apache, Google 2 Harmony, Android 2014-04-30 5.0 MEDIUM N/A
The engineNextBytes function in classlib/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java in the SecureRandom implementation in Apache Harmony through 6.0M3, as used in the Java Cryptography Architecture (JCA) in Android before 4.4 and other products, when no seed is provided by the user, uses an incorrect offset value, which makes it easier for attackers to defeat cryptographic protection mechanisms by leveraging the resulting PRNG predictability, as exploited in the wild against Bitcoin wallet applications in August 2013.
CVE-2013-1777 2 Apache, Ibm 2 Geronimo, Websphere Application Server 2014-04-01 10.0 HIGH N/A
The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as used in IBM WebSphere Application Server (WAS) Community Edition 3.0.0.3 and other products, does not properly implement the RMI classloader, which allows remote attackers to execute arbitrary code by using the JMX connector to send a crafted serialized object.
CVE-2012-6612 1 Apache 1 Solr 2014-03-08 7.5 HIGH N/A
The (1) UpdateRequestHandler for XSLT or (2) XPathEntityProcessor in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, different vectors than CVE-2013-6407.
CVE-2012-6637 2 Adobe, Apache 2 Phonegap, Cordova 2014-03-03 7.5 HIGH N/A
Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier do not anchor the end of domain-name regular expressions, which allows remote attackers to bypass a whitelist protection mechanism via a domain name that contains an acceptable name as an initial substring.
CVE-2014-1881 2 Adobe, Apache 2 Phonegap, Cordova 2014-03-03 7.5 HIGH N/A
Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier allow remote attackers to bypass intended device-resource restrictions of an event-based bridge via a crafted library clone that leverages IFRAME script execution and waits a certain amount of time for an OnJsPrompt handler return value as an alternative to correct synchronization.
CVE-2014-1884 3 Adobe, Apache, Microsoft 3 Phonegap, Cordova, Windows Phone 2014-03-03 7.5 HIGH N/A
Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier on Windows Phone 7 and 8 do not properly restrict navigation events, which allows remote attackers to bypass intended device-resource restrictions via content that is accessed (1) in an IFRAME element or (2) with the XMLHttpRequest method by a crafted application.
CVE-2014-1882 2 Adobe, Apache 2 Phonegap, Cordova 2014-03-03 7.5 HIGH N/A
Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier allow remote attackers to bypass intended device-resource restrictions of an event-based bridge via a crafted library clone that leverages IFRAME script execution and directly accesses bridge JavaScript objects, as demonstrated by certain cordova.require calls.