Filtered by vendor Apache
Subscriptions
Total
2327 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2013-0253 | 2 Apache, Redhat | 3 Maven, Maven Wagon, Openshift | 2024-08-06 | N/A |
The default configuration of Apache Maven 3.0.4, when using Maven Wagon 2.1, disables SSL certificate checks, which allows remote attackers to spoof servers via a man-in-the-middle (MITM) attack. | ||||
CVE-2013-0239 | 2 Apache, Redhat | 4 Cxf, Fuse Esb Enterprise, Jboss Enterprise Application Platform and 1 more | 2024-08-06 | N/A |
Apache CXF before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3, when the plaintext UsernameToken WS-SecurityPolicy is enabled, allows remote attackers to bypass authentication via a security header of a SOAP request containing a UsernameToken element that lacks a password child element. | ||||
CVE-2013-0267 | 1 Apache | 1 Vcl | 2024-08-06 | N/A |
The Privileges portion of the web GUI and the XMLRPC API in Apache VCL 2.3.x before 2.3.2, 2.2.x before 2.2.2 and 2.1 allow remote authenticated users with nodeAdmin, manageGroup, resourceGrant, or userGrant permissions to gain privileges, cause a denial of service, or conduct cross-site scripting (XSS) attacks by leveraging improper data validation. | ||||
CVE-2013-0248 | 1 Apache | 1 Commons Fileupload | 2024-08-06 | N/A |
The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack. | ||||
CVE-2013-0177 | 1 Apache | 1 Ofbiz | 2024-08-06 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in widget/screen/ModelScreenWidget.java in Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.05, 11.04.01, and possibly 09.04.x allow remote authenticated users to inject arbitrary web script or HTML via the (1) Screenlet.title or (2) Image.alt Widget attribute, as demonstrated by the parentPortalPageId parameter to exampleext/control/ManagePortalPages. | ||||
CVE-2014-9635 | 2 Apache, Jenkins | 2 Tomcat, Jenkins | 2024-08-06 | N/A |
Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies. | ||||
CVE-2014-9634 | 2 Apache, Jenkins | 2 Tomcat, Jenkins | 2024-08-06 | N/A |
Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session. | ||||
CVE-2014-9527 | 3 Apache, Fedoraproject, Redhat | 3 Poi, Fedora, Jboss Data Virtualization | 2024-08-06 | N/A |
HSLFSlideShow in Apache POI before 3.11 allows remote attackers to cause a denial of service (infinite loop and deadlock) via a crafted PPT file. | ||||
CVE-2014-8152 | 1 Apache | 1 Santuario Xml Security For Java | 2024-08-06 | N/A |
Apache Santuario XML Security for Java 2.0.x before 2.0.3 allows remote attackers to bypass the streaming XML signature protection mechanism via a crafted XML document. | ||||
CVE-2014-8111 | 2 Apache, Redhat | 3 Tomcat Connectors, Jboss Enterprise Application Platform, Jboss Enterprise Web Server | 2024-08-06 | N/A |
Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount rules for subtrees of previous JkMount rules, which allows remote attackers to access otherwise restricted artifacts via unspecified vectors. | ||||
CVE-2014-8110 | 1 Apache | 1 Activemq | 2024-08-06 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in the web based administration console in Apache ActiveMQ 5.x before 5.10.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||
CVE-2014-8108 | 3 Apache, Apple, Redhat | 7 Subversion, Xcode, Enterprise Linux and 4 more | 2024-08-06 | N/A |
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.7.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a request for a URI that triggers a lookup for a virtual transaction name that does not exist. | ||||
CVE-2014-8109 | 4 Apache, Canonical, Fedoraproject and 1 more | 4 Http Server, Ubuntu Linux, Fedora and 1 more | 2024-08-06 | N/A |
mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory. | ||||
CVE-2014-7809 | 1 Apache | 1 Struts | 2024-08-06 | N/A |
Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism. | ||||
CVE-2014-7808 | 1 Apache | 1 Wicket | 2024-08-06 | 7.5 High |
Apache Wicket before 1.5.13, 6.x before 6.19.0, and 7.x before 7.0.0-M5 make it easier for attackers to defeat a cryptographic protection mechanism and predict encrypted URLs by leveraging use of CryptoMapper as the default encryption provider. | ||||
CVE-2014-7807 | 1 Apache | 1 Cloudstack | 2024-08-06 | N/A |
Apache CloudStack 4.3.x before 4.3.2 and 4.4.x before 4.4.2 allows remote attackers to bypass authentication via a login request without a password, which triggers an unauthenticated bind. | ||||
CVE-2014-7810 | 4 Apache, Debian, Hp and 1 more | 5 Tomcat, Debian Linux, Hp-ux and 2 more | 2024-08-06 | N/A |
The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation. | ||||
CVE-2014-4651 | 2 Apache, Redhat | 2 Jclouds, Jboss Fuse | 2024-08-06 | 9.8 Critical |
It was found that the jclouds scriptbuilder Statements class wrote a temporary file to a predictable location. An attacker could use this flaw to access sensitive data, cause a denial of service, or perform other attacks. | ||||
CVE-2014-3628 | 1 Apache | 1 Solr | 2024-08-06 | N/A |
Cross-site scripting (XSS) vulnerability in the Admin UI Plugin / Stats page in Apache Solr 4.x before 4.10.3 allows remote attackers to inject arbitrary web script or HTML via the fieldvaluecache object. | ||||
CVE-2014-3629 | 1 Apache | 1 Qpid | 2024-08-06 | N/A |
XML external entity (XXE) vulnerability in the XML Exchange module in Apache Qpid 0.30 allows remote attackers to cause outgoing HTTP connections via a crafted message. |