Vulnerabilities (CVE)

Filtered by vendor Apache Subscribe
Total 2238 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2014-0031 1 Apache 1 Cloudstack 2014-02-25 4.0 MEDIUM N/A
The (1) ListNetworkACL and (2) listNetworkACLLists APIs in Apache CloudStack before 4.2.1 allow remote authenticated users to list network ACLS for other users via a crafted request.
CVE-2013-2055 1 Apache 1 Wicket 2014-02-11 5.0 MEDIUM N/A
Unspecified vulnerability in Apache Wicket 1.4.x before 1.4.23, 1.5.x before 1.5.11, and 6.x before 6.8.0 allows remote attackers to obtain sensitive information via vectors that cause raw HTML templates to be rendered without being processed and reading the information that is outside of wicket:panel markup.
CVE-2013-4505 1 Apache 2 Mod Dontdothat, Subversion 2013-12-20 2.6 LOW N/A
The is_this_legal function in mod_dontdothat for Apache Subversion 1.4.0 through 1.7.13 and 1.8.0 through 1.8.4 allows remote attackers to bypass intended access restrictions and possibly cause a denial of service (resource consumption) via a relative URL in a REPORT request.
CVE-2013-4171 1 Apache 1 Roller 2013-12-09 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in Apache Roller before 5.0.2 allow remote attackers to inject arbitrary web script or HTML via vectors related to the search results in the (1) RSS and (2) Atom feed templates.
CVE-2013-6348 1 Apache 1 Struts 2013-11-25 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.3.15.3 allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to (1) actionNames.action and (2) showConfig.action in config-browser/.
CVE-2013-4390 1 Apache 2 Sling, Sling Auth Core Component 2013-10-25 5.8 MEDIUM N/A
Open redirect vulnerability in the AbstractAuthenticationFormServlet in the Auth Core (org.apache.sling.auth.core) bundle before 1.1.4 in Apache Sling allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the resource parameter, related to "a custom login form and XSS."
CVE-2013-4295 1 Apache 1 Shindig 2013-10-24 5.0 MEDIUM N/A
The gadget renderer in Apache Shindig 2.5.0 for PHP allows remote attackers to obtain sensitive information via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
CVE-2013-5697 2 Apache, Simone Tellini 2 Http Server, Mod Accounting 2013-10-11 7.5 HIGH N/A
SQL injection vulnerability in mod_accounting.c in the mod_accounting module 0.5 and earlier for Apache allows remote attackers to execute arbitrary SQL commands via a Host header.
CVE-2012-2380 1 Apache 1 Roller 2013-10-04 6.8 MEDIUM N/A
Multiple cross-site request forgery (CSRF) vulnerabilities in the admin/editor console in Apache Roller before 5.0.1 allow remote attackers to hijack the authentication of admins or editors by leveraging the HTTP POST functionality.
CVE-2012-2381 1 Apache 1 Roller 2013-10-03 3.5 LOW N/A
Multiple cross-site scripting (XSS) vulnerabilities in Apache Roller before 5.0.1 allow remote authenticated users to inject arbitrary web script or HTML by leveraging the blogger role.
CVE-2013-1814 1 Apache 1 Rave 2013-07-03 4.0 MEDIUM N/A
The users/get program in the User RPC API in Apache Rave 0.11 through 0.20 allows remote authenticated users to obtain sensitive information about all user accounts via the offset parameter, as demonstrated by discovering password hashes in the password field of a response.
CVE-2013-0941 3 Apache, Microsoft, Rsa 7 Http Server, Internet Information Server, Windows and 4 more 2013-05-23 2.1 LOW N/A
EMC RSA Authentication API before 8.1 SP1, RSA Web Agent before 5.3.5 for Apache Web Server, RSA Web Agent before 5.3.5 for IIS, RSA PAM Agent before 7.0, and RSA Agent before 6.1.4 for Microsoft Windows use an improper encryption algorithm and a weak key for maintaining the stored data of the node secret for the SecurID Authentication API, which allows local users to obtain sensitive information via cryptographic attacks on this data.
CVE-2013-0942 3 Apache, Emc, Microsoft 3 Http Server, Rsa Authentication Agent, Internet Information Server 2013-05-22 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in EMC RSA Authentication Agent 7.1 before 7.1.1 for Web for Internet Information Services, and 7.1 before 7.1.1 for Web for Apache, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2012-0256 1 Apache 1 Traffic Server 2013-03-26 5.0 MEDIUM N/A
Apache Traffic Server 2.0.x and 3.0.x before 3.0.4 and 3.1.x before 3.1.3 does not properly allocate heap memory, which allows remote attackers to cause a denial of service (daemon crash) via a long HTTP Host header.
CVE-2012-4458 1 Apache 1 Qpid 2013-03-19 5.0 MEDIUM N/A
The AMQP type decoder in Apache Qpid 0.20 and earlier allows remote attackers to cause a denial of service (memory consumption and server crash) via a large number of zero width elements in the client-properties map in a connection.start-ok message.
CVE-2012-4459 1 Apache 1 Qpid 2013-03-19 5.0 MEDIUM N/A
Integer overflow in the qpid::framing::Buffer::checkAvailable function in Apache Qpid 0.20 and earlier allows remote attackers to cause a denial of service (crash) via a crafted message, which triggers an out-of-bounds read.
CVE-2012-4446 1 Apache 1 Qpid 2013-03-19 6.8 MEDIUM N/A
The default configuration for Apache Qpid 0.20 and earlier, when the federation_tag attribute is enabled, accepts AMQP connections without checking the source user ID, which allows remote attackers to bypass authentication and have other unspecified impact via an AMQP request.
CVE-2012-4418 1 Apache 1 Axis2 2013-01-30 5.8 MEDIUM N/A
Apache Axis2 allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack."
CVE-2012-4501 2 Apache, Citrix 2 Cloudstack, Cloudstack 2012-10-26 10.0 HIGH N/A
Citrix Cloud.com CloudStack, and Apache CloudStack pre-release, allows remote attackers to make arbitrary API calls by leveraging the system user account, as demonstrated by API calls to delete VMs.
CVE-2011-3620 1 Apache 1 Qpid 2012-08-14 7.5 HIGH N/A
Apache Qpid 0.12 does not properly verify credentials during the joining of a cluster, which allows remote attackers to obtain access to the messaging functionality and job functionality of a cluster by leveraging knowledge of a cluster-username.