Filtered by vendor Apache
Subscribe
Total
1977 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2010-3872 | 1 Apache | 1 Mod Fcgid | 2017-08-16 | 7.2 HIGH | N/A |
The fcgid_header_bucket_read function in fcgid_bucket.c in the mod_fcgid module before 2.3.6 for the Apache HTTP Server does not use bytewise pointer arithmetic in certain circumstances, which has unspecified impact and attack vectors related to "untrusted FastCGI applications" and a "stack buffer overwrite." | |||||
CVE-2010-1244 | 1 Apache | 1 Activemq | 2017-08-16 | 6.8 MEDIUM | N/A |
Cross-site request forgery (CSRF) vulnerability in createDestination.action in Apache ActiveMQ before 5.3.1 allows remote attackers to hijack the authentication of unspecified victims for requests that create queues via the JMSDestination parameter in a queue action. | |||||
CVE-2009-1885 | 1 Apache | 1 Xerces-c\+\+ | 2017-08-16 | 4.3 MEDIUM | N/A |
Stack consumption vulnerability in validators/DTD/DTDScanner.cpp in Apache Xerces C++ 2.7.0 and 2.8.0 allows context-dependent attackers to cause a denial of service (application crash) via vectors involving nested parentheses and invalid byte values in "simply nested DTD structures," as demonstrated by the Codenomicon XML fuzzing framework. | |||||
CVE-2007-6726 | 2 Apache, Dojotoolkit | 2 Struts, Dojo | 2017-08-16 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in Dojo 0.4.1 and 0.4.2, as used in Apache Struts and other products, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving (1) xip_client.html and (2) xip_server.html in src/io/. | |||||
CVE-2008-6504 | 2 Apache, Opensymphony | 2 Struts, Xwork | 2017-08-16 | 5.0 MEDIUM | N/A |
ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character. | |||||
CVE-2010-2245 | 1 Apache | 1 Wink | 2017-08-16 | 5.8 MEDIUM | 7.4 HIGH |
XML External Entity (XXE) vulnerability in Apache Wink 1.1.1 and earlier allows remote attackers to read arbitrary files or cause a denial of service via a crafted XML document. | |||||
CVE-2017-9801 | 1 Apache | 1 Commons Email | 2017-08-09 | 5.0 MEDIUM | 7.5 HIGH |
When a call-site passes a subject for an email that contains line-breaks in Apache Commons Email 1.0 through 1.4, the caller can add arbitrary SMTP headers. | |||||
CVE-2016-4465 | 1 Apache | 1 Struts | 2017-08-08 | 5.0 MEDIUM | 5.3 MEDIUM |
The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field. | |||||
CVE-2016-4433 | 1 Apache | 1 Struts | 2017-08-08 | 5.0 MEDIUM | 7.5 HIGH |
Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request. | |||||
CVE-2016-4436 | 1 Apache | 1 Struts | 2017-08-08 | 7.5 HIGH | 9.8 CRITICAL |
Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up. | |||||
CVE-2016-4431 | 1 Apache | 1 Struts | 2017-08-08 | 5.0 MEDIUM | 7.5 HIGH |
Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method. | |||||
CVE-2008-4482 | 1 Apache | 1 Xerces-c\+\+ | 2017-08-07 | 7.8 HIGH | N/A |
The XML parser in Xerces-C++ before 3.0.0 allows context-dependent attackers to cause a denial of service (stack consumption and crash) via an XML schema definition with a large maxOccurs value, which triggers excessive memory consumption during validation of an XML file. | |||||
CVE-2010-1632 | 2 Apache, Ibm | 6 Axis2, Geronimo, Orchestration Director Engine and 3 more | 2017-07-29 | 7.5 HIGH | N/A |
Apache Axis2 before 1.5.2, as used in IBM WebSphere Application Server (WAS) 7.0 through 7.0.0.12, IBM Feature Pack for Web Services 6.1.0.9 through 6.1.0.32, IBM Feature Pack for Web 2.0 1.0.1.0, Apache Synapse, Apache ODE, Apache Tuscany, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to the Synapse SimpleStockQuoteService. | |||||
CVE-2007-2353 | 1 Apache | 1 Axis | 2017-07-28 | 5.0 MEDIUM | N/A |
Apache Axis 1.0 allows remote attackers to obtain sensitive information by requesting a non-existent WSDL file, which reveals the installation path in the resulting exception message. | |||||
CVE-2007-3101 | 1 Apache | 1 Myfaces Tomahawk | 2017-07-28 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in certain JSF applications in Apache MyFaces Tomahawk before 1.1.6 allow remote attackers to inject arbitrary web script via the autoscroll parameter, which is injected into Javascript that is sent to the client. | |||||
CVE-2007-1741 | 1 Apache | 1 Http Server | 2017-07-28 | 6.2 MEDIUM | N/A |
Multiple race conditions in suexec in Apache HTTP Server (httpd) 2.2.3 between directory and file validation, and their usage, allow local users to gain privileges and execute arbitrary code by renaming directories or performing symlink attacks. NOTE: the researcher, who is reliable, claims that the vendor disputes the issue because "the attacks described rely on an insecure server configuration" in which the user "has write access to the document root." | |||||
CVE-2002-2272 | 1 Apache | 2 Http Server, Tomcat | 2017-07-28 | 7.8 HIGH | N/A |
Tomcat 4.0 through 4.1.12, using mod_jk 1.2.1 module on Apache 1.3 through 1.3.27, allows remote attackers to cause a denial of service (desynchronized communications) via an HTTP GET request with a Transfer-Encoding chunked field with invalid values. | |||||
CVE-2015-8796 | 1 Apache | 1 Solr | 2017-07-27 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/schema-browser.js in the Admin UI in Apache Solr before 5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted schema-browse URL. | |||||
CVE-2015-0249 | 1 Apache | 1 Roller | 2017-07-27 | 6.5 MEDIUM | 7.2 HIGH |
The weblog page template in Apache Roller 5.1 through 5.1.1 allows remote authenticated users with admin privileges for a weblog to execute arbitrary Java code via crafted Velocity Text Language (aka VTL). | |||||
CVE-2016-8741 | 1 Apache | 1 Qpid Java | 2017-07-26 | 5.0 MEDIUM | 7.5 HIGH |
The Apache Qpid Broker for Java can be configured to use different so called AuthenticationProviders to handle user authentication. Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider types. It was discovered that these AuthenticationProviders in Apache Qpid Broker for Java 6.0.x before 6.0.6 and 6.1.x before 6.1.1 prematurely terminate the SCRAM SASL negotiation if the provided user name does not exist thus allowing remote attacker to determine the existence of user accounts. The Vulnerability does not apply to AuthenticationProviders other than SCRAM-SHA-1 and SCRAM-SHA-256. |