VYPR

Vendor CVEs

Apache

All CVEs

2,550 total · sorted by risk
  • CVE-2007-2449Jun 14, 2007
    risk 0.09cvss epss 0.77

    Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary…

  • CVE-2006-7196May 10, 2007
    risk 0.09cvss epss 0.72

    Cross-site scripting (XSS) vulnerability in the calendar application example in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.15 allows remote attackers to inject arbitrary web script or HTML via the time parameter to…

  • CVE-2006-2447Jun 6, 2006
    risk 0.09cvss epss 0.74

    SpamAssassin before 3.1.3, when running with vpopmail and the paranoid (-P) switch, allows remote attackers to execute arbitrary commands via a crafted message that is not properly handled when invoking spamd with the virtual pop username.

  • CVE-2004-0751Oct 20, 2004
    risk 0.09cvss epss 0.70

    The char_buffer_read function in the mod_ssl module for Apache 2.x, when using reverse proxying to an SSL server, allows remote attackers to cause a denial of service (segmentation fault).

  • CVE-2001-0925Mar 12, 2001
    risk 0.09cvss epss 0.75

    The default installation of Apache before 1.3.19 allows remote attackers to list directories instead of the multiview index.html file via an HTTP request for a path that contains many / (slash) characters, which causes the path to be mishandled by (1) mod_negotiation, (2)…

  • CVE-2024-45216Oct 16, 2024
    risk 0.08cvss epss 0.91

    Improper Authentication vulnerability in Apache Solr. Solr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used, are vulnerable to Authentication bypass. A fake ending at the end of any Solr API URL path, will allow requests…

  • CVE-2023-37582Jul 12, 2023
    risk 0.08cvss epss 0.90

    The RocketMQ NameServer component still has a remote command execution vulnerability as the CVE-2023-33246 issue was not completely fixed in version 5.1.1. When NameServer address are leaked on the extranet and lack permission verification, an attacker can exploit this…

  • CVE-2021-31805Apr 12, 2022
    risk 0.08cvss epss 0.85

    The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted…

  • CVE-2021-27905Apr 13, 2021
    risk 0.08cvss epss 0.93

    The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent…

  • CVE-2018-11759Oct 31, 2018
    risk 0.08cvss epss 0.91

    The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed…

  • CVE-2012-1006Feb 7, 2012
    risk 0.08cvss epss 0.58

    Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.14 and 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) lastName parameter to struts2-showcase/person/editPerson.action, or the (3) clientName parameter to…

  • CVE-2011-4317Nov 30, 2011
    risk 0.08cvss epss 0.61

    The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21, when the Revision 1179239 patch is in place, does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a…

  • CVE-2007-5333Feb 12, 2008
    risk 0.08cvss epss 0.63

    Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to…

  • CVE-2008-0455Jan 25, 2008
    risk 0.08cvss epss 0.65

    Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary web…

  • CVE-2007-3386Aug 14, 2007
    risk 0.08cvss epss 0.59

    Cross-site scripting (XSS) vulnerability in the Host Manager Servlet for Apache Tomcat 6.0.0 to 6.0.13 and 5.5.0 to 5.5.24 allows remote attackers to inject arbitrary HTML and web script via crafted requests, as demonstrated using the aliases parameter to an html/add action.

  • CVE-2007-1355May 21, 2007
    risk 0.08cvss epss 0.58

    Multiple cross-site scripting (XSS) vulnerabilities in the appdev/sample/web/hello.jsp example application in Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.23, and 6.0.0 through 6.0.10 allow remote attackers to inject arbitrary web…

  • CVE-2003-0245Jun 9, 2003
    risk 0.08cvss epss 0.63

    Vulnerability in the apr_psprintf function in the Apache Portable Runtime (APR) library for Apache 2.0.37 through 2.0.45 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long strings, as demonstrated using XML objects to…

  • CVE-2002-0654Sep 5, 2002
    risk 0.08cvss epss 0.59

    Apache 2.0 through 2.0.39 on Windows, OS2, and Netware allows remote attackers to determine the full pathname of the server via (1) a request for a .var file, which leaks the pathname in the resulting error message, or (2) via an error message that occurs when a script (child…

  • CVE-2001-0731Oct 1, 2001
    risk 0.08cvss epss 0.57

    Apache 1.3.20 with Multiviews enabled allows remote attackers to view directory contents and bypass the index page via a URL containing the "M=D" query string.

  • CVE-2000-0760Oct 20, 2000
    risk 0.08cvss epss 0.63

    The Snoop servlet in Jakarta Tomcat 3.1 and 3.0 under Apache reveals sensitive system information when a remote attacker requests a nonexistent URL with a .snp extension.

  • CVE-2024-45507Sep 4, 2024
    risk 0.07cvss epss 0.93

    Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue.

  • CVE-2024-30188Aug 9, 2024
    risk 0.07cvss epss 0.06

    File read and write vulnerability in Apache DolphinScheduler ,  authenticated users can illegally access additional resource files. This issue affects Apache DolphinScheduler: from 3.1.0 before 3.2.2. Users are recommended to upgrade to version 3.2.2, which fixes the issue.

  • CVE-2024-38473Jul 1, 2024
    risk 0.07cvss epss 0.26

    Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this…

  • CVE-2024-38472Jul 1, 2024
    risk 0.07cvss epss 0.68

    SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.60 which fixes this issue.  Note: Existing configurations that access UNC paths will…

  • CVE-2024-36104Jun 4, 2024
    risk 0.07cvss epss 0.88

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.14. Users are recommended to upgrade to version 18.12.14, which fixes the issue.

  • CVE-2024-27316Apr 4, 2024
    risk 0.07cvss epss 0.91

    HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.

  • CVE-2023-50968Dec 26, 2023
    risk 0.07cvss epss 0.63

    Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without authorizations. Users are recommended to upgrade to version…

  • CVE-2022-47501Apr 14, 2023
    risk 0.07cvss epss 0.10

    Arbitrary file reading vulnerability in Apache Software Foundation Apache OFBiz when using the Solr plugin. This is a  pre-authentication attack. This issue affects Apache OFBiz: before 18.12.07.

  • CVE-2022-33980Jul 6, 2022
    risk 0.07cvss epss 0.35

    Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup…

  • CVE-2022-24288Feb 25, 2022
    risk 0.07cvss epss 0.78

    In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI.

  • CVE-2021-44521Feb 11, 2022
    risk 0.07cvss epss 0.55

    When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would…

  • CVE-2021-44451Feb 1, 2022
    risk 0.07cvss epss 0.08

    Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way. Users should upgrade to Apache Superset 1.4.0 or higher.

  • CVE-2021-45232Dec 27, 2021
    risk 0.07cvss epss 0.86

    In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin`, all APIs and authentication middleware are developed based on framework `droplet`, but some API directly use the interface of…

  • CVE-2021-30128Apr 27, 2021
    risk 0.07cvss epss 0.81

    Apache OFBiz has unsafe deserialization prior to 17.12.07 version

  • CVE-2021-29200Apr 27, 2021
    risk 0.07cvss epss 0.55

    Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack

  • CVE-2020-11991Sep 11, 2020
    risk 0.07cvss epss 0.73

    When using the StreamGenerator, the code parse a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system.

  • CVE-2020-1943Apr 1, 2020
    risk 0.07cvss epss 0.97

    Data sent with contentId to /control/stream is not sanitized, allowing XSS attacks in Apache OFBiz 16.11.01 to 16.11.07.

  • CVE-2019-12409Nov 18, 2019
    risk 0.07cvss epss 0.22

    The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file shipping with Solr. If you use the default solr.in.sh file from the affected releases, then JMX monitoring…

  • CVE-2019-0192Mar 7, 2019
    risk 0.07cvss epss 0.78

    In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr's unsafe deserialization to trigger remote code execution on…

  • CVE-2018-8033Dec 13, 2018
    risk 0.07cvss epss 0.26

    In Apache OFBiz 16.11.01 to 16.11.04, the OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. Both POST and GET requests to the httpService endpoint may contain three parameters:…

  • CVE-2013-1884May 2, 2013
    risk 0.07cvss epss 0.51

    The mod_dav_svn Apache HTTPD server module in Subversion 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service (segmentation fault and crash) via a log REPORT request with an invalid limit, which triggers an access of an uninitialized variable.

  • CVE-2013-1847May 2, 2013
    risk 0.07cvss epss 0.51

    The mod_dav_svn Apache HTTPD server module in Subversion 1.6.0 through 1.6.20 and 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an anonymous LOCK for a URL that does not exist.

  • CVE-2011-3639Nov 30, 2011
    risk 0.07cvss epss 0.53

    The mod_proxy module in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x before 2.2.18, when the Revision 1179239 patch is in place, does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which…

  • CVE-2010-3863Nov 5, 2010
    risk 0.07cvss epss 0.55

    Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.

  • CVE-2010-1157Apr 23, 2010
    risk 0.07cvss epss 0.53

    Apache Tomcat 5.5.0 through 5.5.29 and 6.0.0 through 6.0.26 might allow remote attackers to discover the server's hostname or IP address by sending a request for a resource that requires (1) BASIC or (2) DIGEST authentication, and then reading the realm field in the…

  • CVE-2008-2370Aug 4, 2008
    risk 0.07cvss epss 0.53

    Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read…

  • CVE-2008-2168May 13, 2008
    risk 0.07cvss epss 0.55

    Cross-site scripting (XSS) vulnerability in Apache 2.2.6 and earlier allows remote attackers to inject arbitrary web script or HTML via UTF-7 encoded URLs that are not properly handled when displaying the 403 Forbidden error page.

  • CVE-2007-3101Jun 18, 2007
    risk 0.07cvss epss 0.44

    Multiple cross-site scripting (XSS) vulnerabilities in certain JSF applications in Apache MyFaces Tomahawk before 1.1.6 allow remote attackers to inject arbitrary web script via the autoscroll parameter, which is injected into Javascript that is sent to the client.

  • CVE-2004-0942Feb 9, 2005
    risk 0.07cvss epss 0.55

    Apache webserver 2.0.52 and earlier allows remote attackers to cause a denial of service (CPU consumption) via an HTTP GET request with a MIME header containing multiple lines with a large number of space characters.

  • CVE-2003-0042Feb 7, 2003
    risk 0.07cvss epss 0.46

    Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, allows remote attackers to list directories even with an index.html or other file present, or obtain unprocessed source code for a JSP file, via a URL containing a null character.

Page 17 of 51