Filtered by vendor Apache
Subscribe
Total
2724 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2012-4386 | 1 Apache | 1 Struts | 2025-04-11 | 6.8 MEDIUM | N/A |
| The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session attribute. | |||||
| CVE-2010-4172 | 1 Apache | 1 Tomcat | 2025-04-11 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the Manager application in Apache Tomcat 6.0.12 through 6.0.29 and 7.0.0 through 7.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) orderBy or (2) sort parameter to sessionsList.jsp, or unspecified input to (3) sessionDetail.jsp or (4) java/org/apache/catalina/manager/JspHelper.java, related to use of untrusted web applications. | |||||
| CVE-2013-2155 | 1 Apache | 1 Xml Security For C\+\+ | 2025-04-11 | 5.8 MEDIUM | N/A |
| Apache Santuario XML Security for C++ (aka xml-security-c) before 1.7.1 does not properly validate length values, which allows remote attackers to cause a denial of service or bypass the CVE-2009-0217 protection mechanism and spoof a signature via crafted length values to the (1) compareBase64StringToRaw, (2) DSIGAlgorithmHandlerDefault, or (3) DSIGAlgorithmHandlerDefault::verify functions. | |||||
| CVE-2012-0838 | 1 Apache | 1 Struts | 2025-04-11 | 10.0 HIGH | N/A |
| Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field. | |||||
| CVE-2003-1581 | 1 Apache | 1 Http Server | 2025-04-11 | 2.6 LOW | N/A |
| The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files via an HTTP request in conjunction with a crafted DNS response, as demonstrated by injecting XSS sequences, related to an "Inverse Lookup Log Corruption (ILLC)" issue. | |||||
| CVE-2011-5063 | 1 Apache | 1 Tomcat | 2025-04-11 | 4.3 MEDIUM | N/A |
| The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check realm values, which might allow remote attackers to bypass intended access restrictions by leveraging the availability of a protection space with weaker authentication or authorization requirements, a different vulnerability than CVE-2011-1184. | |||||
| CVE-2012-1149 | 5 Apache, Debian, Fedoraproject and 2 more | 10 Openoffice.org, Debian Linux, Fedora and 7 more | 2025-04-11 | 7.5 HIGH | N/A |
| Integer overflow in the vclmi.dll module in OpenOffice.org (OOo) 3.3, 3.4 Beta, and possibly earlier, and LibreOffice before 3.5.3, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted embedded image object, as demonstrated by a JPEG image in a .DOC file, which triggers a heap-based buffer overflow. | |||||
| CVE-2012-2687 | 1 Apache | 1 Http Server | 2025-04-11 | 2.6 LOW | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list. | |||||
| CVE-2012-3506 | 1 Apache | 1 Ofbiz | 2025-04-11 | 10.0 HIGH | N/A |
| Unspecified vulnerability in the Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.03 has unknown impact and attack vectors. | |||||
| CVE-2013-2071 | 1 Apache | 1 Tomcat | 2025-04-11 | 2.6 LOW | N/A |
| java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows context-dependent attackers to obtain sensitive request information intended for other applications in opportunistic circumstances via an application that records the requests that it processes. | |||||
| CVE-2012-5783 | 2 Apache, Canonical | 2 Httpclient, Ubuntu Linux | 2025-04-11 | 5.8 MEDIUM | N/A |
| Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | |||||
| CVE-2011-2329 | 1 Apache | 1 Rampart\/c | 2025-04-11 | 6.5 MEDIUM | N/A |
| The rampart_timestamp_token_validate function in util/rampart_timestamp_token.c in Apache Rampart/C 1.3.0 does not properly calculate the expiration of timestamp tokens, which allows remote attackers to bypass intended access restrictions by leveraging an expired token, a different vulnerability than CVE-2011-0730. | |||||
| CVE-2012-5575 | 2 Apache, Redhat | 6 Cxf, Jboss Enterprise Application Platform, Jboss Enterprise Portal Platform and 3 more | 2025-04-11 | 6.4 MEDIUM | N/A |
| Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite definition before decrypting, which allows remote attackers to force CXF to use weaker cryptographic algorithms than intended and makes it easier to decrypt communications, aka "XML Encryption backwards compatibility attack." | |||||
| CVE-2012-3526 | 2 Apache, Thomas Eibner | 2 Http Server, Mod Rpaf | 2025-04-11 | 5.0 MEDIUM | N/A |
| The reverse proxy add forward module (mod_rpaf) 0.5 and 0.6 for the Apache HTTP Server allows remote attackers to cause a denial of service (server or application crash) via multiple X-Forwarded-For headers in a request. | |||||
| CVE-2012-2138 | 1 Apache | 2 Org.apache.sling.servlets.post, Sling | 2025-04-11 | 5.0 MEDIUM | N/A |
| The @CopyFrom operation in the POST servlet in the org.apache.sling.servlets.post bundle before 2.1.2 in Apache Sling does not prevent attempts to copy an ancestor node to a descendant node, which allows remote attackers to cause a denial of service (infinite loop) via a crafted HTTP request. | |||||
| CVE-2003-1580 | 1 Apache | 1 Http Server | 2025-04-11 | 4.3 MEDIUM | N/A |
| The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, uses a logging format that does not identify whether a dotted quad represents an unresolved IP address, which allows remote attackers to spoof IP addresses via crafted DNS responses containing numerical top-level domains, as demonstrated by a forged 123.123.123.123 domain name, related to an "Inverse Lookup Log Corruption (ILLC)" issue. | |||||
| CVE-2013-0177 | 1 Apache | 1 Ofbiz | 2025-04-11 | 3.5 LOW | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in widget/screen/ModelScreenWidget.java in Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.05, 11.04.01, and possibly 09.04.x allow remote authenticated users to inject arbitrary web script or HTML via the (1) Screenlet.title or (2) Image.alt Widget attribute, as demonstrated by the parentPortalPageId parameter to exampleext/control/ManagePortalPages. | |||||
| CVE-2012-0394 | 1 Apache | 1 Struts | 2025-04-11 | 6.8 MEDIUM | N/A |
| The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself. | |||||
| CVE-2013-2254 | 1 Apache | 2 Org.apache.sling.servlets.post, Sling | 2025-04-11 | 5.0 MEDIUM | N/A |
| The deepGetOrCreateNode function in impl/operations/AbstractCreateOperation.java in org.apache.sling.servlets.post.bundle 2.2.0 and 2.3.0 in Apache Sling does not properly handle a NULL value that returned when the session does not have permissions to the root node, which allows remote attackers to cause a denial of service (infinite loop) via unspecified vectors. | |||||
| CVE-2013-6408 | 1 Apache | 1 Solr | 2025-04-11 | 6.4 MEDIUM | N/A |
| The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1 does not properly use the EmptyEntityResolver, which allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6407. | |||||