Vendor CVEs
Apache
All CVEs
2,552 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-0189 | 0.01 | — | 0.24 | Sep 11, 2019 | The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the "webtools/control/httpService" URL, and uses Java deserialization to perform code execution. In the HttpEngine, the value of the request parameter "serviceContext" is… | |||
| CVE-2019-0196 | 0.01 | — | 0.19 | Jun 11, 2019 | A vulnerability was found in Apache HTTP Server 2.4.17 to 2.4.38. Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparison when determining the method of a request and thus process the request incorrectly. | |||
| CVE-2019-0194 | 0.01 | — | 0.08 | Apr 30, 2019 | Apache Camel's File is vulnerable to directory traversal. Camel 2.21.0 to 2.21.3, 2.22.0 to 2.22.2, 2.23.0 and the unsupported Camel 2.x (2.19 and earlier) versions may be also affected. | |||
| CVE-2019-0228 | 0.01 | — | 0.09 | Apr 17, 2019 | Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF. | |||
| CVE-2018-11803 | 0.01 | — | 0.58 | Feb 5, 2019 | Subversion's mod_dav_svn Apache HTTPD module versions 1.11.0 and 1.10.0 to 1.10.3 will crash after dereferencing an uninitialized pointer if the client omits the root path in a recursive directory listing operation. | |||
| CVE-2018-17199 | 0.01 | — | 0.20 | Jan 30, 2019 | In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded. | |||
| CVE-2018-17189 | 0.01 | — | 0.19 | Jan 30, 2019 | In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections. | |||
| CVE-2018-8040 | Med | 0.01 | 5.3 | 0.09 | Aug 29, 2018 | Pages that are rendered using the ESI plugin can have access to the cookie header when the plugin is configured not to allow access. This affects Apache Traffic Server (ATS) versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to… | ||
| CVE-2018-8022 | Hig | 0.01 | 7.5 | 0.07 | Aug 29, 2018 | A carefully crafted invalid TLS handshake can cause Apache Traffic Server (ATS) to segfault. This affects version 6.2.2. To resolve this issue users running 6.2.2 should upgrade to 6.2.3 or later versions. | ||
| CVE-2018-8005 | Med | 0.01 | 5.3 | 0.07 | Aug 29, 2018 | When there are multiple ranges in a range request, Apache Traffic Server (ATS) will read the entire object from cache. This can cause performance problems with large objects in cache. This affects versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running… | ||
| CVE-2018-8004 | Med | 0.01 | 6.5 | 0.06 | Aug 29, 2018 | There are multiple HTTP smuggling and cache poisoning issues when clients making malicious requests interact with Apache Traffic Server (ATS). This affects versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later… | ||
| CVE-2018-1318 | Hig | 0.01 | 7.5 | 0.08 | Aug 29, 2018 | Adding method ACLs in remap.config can cause a segfault when the user makes a carefully crafted request. This affects versions Apache Traffic Server (ATS) 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x… | ||
| CVE-2018-11757 | Cri | 0.01 | 9.8 | 0.07 | Jul 23, 2018 | In Docker Skeleton Runtime for Apache OpenWhisk, a Docker action inheriting the Docker tag openwhisk/dockerskeleton:1.3.0 (or earlier) may allow an attacker to replace the user function inside the container if the user code is vulnerable to code exploitation. | ||
| CVE-2018-11756 | Cri | 0.01 | 9.8 | 0.08 | Jul 23, 2018 | In PHP Runtime for Apache OpenWhisk, a Docker action inheriting one of the Docker tags openwhisk/action-php-v7.2:1.0.0 or openwhisk/action-php-v7.1:1.0.1 (or earlier) may allow an attacker to replace the user function inside the container if the user code is vulnerable to code… | ||
| CVE-2015-5214 | 0.01 | — | 0.10 | Nov 10, 2015 | LibreOffice before 4.4.6 and 5.x before 5.0.1 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denial of service (memory corruption and application crash) or execute arbitrary code via an index to a non-existent bookmark in a DOC file. | |||
| CVE-2015-5213 | 0.01 | — | 0.13 | Nov 10, 2015 | Integer overflow in LibreOffice before 4.4.5 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a long DOC file, which triggers a buffer overflow. | |||
| CVE-2015-5212 | 0.01 | — | 0.09 | Nov 10, 2015 | Integer underflow in LibreOffice before 4.4.5 and Apache OpenOffice before 4.1.2, when the configuration setting "Load printer settings with the document" is enabled, allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly… | |||
| CVE-2015-4551 | 0.01 | — | 0.14 | Nov 10, 2015 | LibreOffice before 4.4.5 and Apache OpenOffice before 4.1.2 uses the stored LinkUpdateMode configuration information in OpenDocument Format files and templates when handling links, which might allow remote attackers to obtain sensitive information via a crafted document, which… | |||
| CVE-2015-3269 | 0.01 | — | 0.10 | Aug 25, 2015 | Apache Flex BlazeDS, as used in flex-messaging-core.jar in Adobe LiveCycle Data Services (LCDS) 3.0.x before 3.0.0.354170, 4.5 before 4.5.1.354169, 4.6.2 before 4.6.2.354169, and 4.7 before 4.7.0.354169 and other products, allows remote attackers to read arbitrary files via an… | |||
| CVE-2015-3187 | 0.01 | — | 0.06 | Aug 12, 2015 | The svn_repos_trace_node_locations function in Apache Subversion before 1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used, allows remote authenticated users to obtain sensitive path information by reading the history of a node that has been moved from a… | |||
| CVE-2015-3184 | 0.01 | — | 0.11 | Aug 12, 2015 | mod_authz_svn in Apache Subversion 1.7.x before 1.7.21 and 1.8.x before 1.8.14, when using Apache httpd 2.4.x, does not properly restrict anonymous access, which allows remote anonymous users to read hidden files via the path name. | |||
| CVE-2014-7810 | 0.01 | — | 0.14 | Jun 7, 2015 | The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager… | |||
| CVE-2015-2944 | 0.01 | — | 0.06 | Jun 2, 2015 | Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2)… | |||
| CVE-2015-1774 | 0.01 | — | 0.08 | Apr 28, 2015 | The HWP filter in LibreOffice before 4.3.7 and 4.4.x before 4.4.2 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted HWP document, which triggers an out-of-bounds write. | |||
| CVE-2014-8111 | 0.01 | — | 0.07 | Apr 21, 2015 | Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount rules for subtrees of previous JkMount rules, which allows remote attackers to access otherwise restricted artifacts via unspecified vectors. | |||
| CVE-2015-0251 | 0.01 | — | 0.08 | Apr 8, 2015 | The mod_dav_svn server in Subversion 1.5.0 through 1.7.19 and 1.8.0 through 1.8.11 allows remote authenticated users to spoof the svn:author property via a crafted v1 HTTP protocol request sequences. | |||
| CVE-2015-0248 | 0.01 | — | 0.13 | Apr 8, 2015 | The (1) mod_dav_svn and (2) svnserve servers in Subversion 1.6.0 through 1.7.19 and 1.8.0 through 1.8.11 allow remote attackers to cause a denial of service (assertion failure and abort) via crafted parameter combinations related to dynamically evaluated revision numbers. | |||
| CVE-2015-0202 | 0.01 | — | 0.08 | Apr 8, 2015 | The mod_dav_svn server in Subversion 1.8.0 through 1.8.11 allows remote attackers to cause a denial of service (memory consumption) via a large number of REPORT requests, which trigger the traversal of FSFS repository nodes. | |||
| CVE-2015-1773 | 0.01 | — | 0.07 | Apr 8, 2015 | Cross-site scripting (XSS) vulnerability in asdoc/templates/index.html in Apache Flex before 4.14.1 allows remote attackers to inject arbitrary web script or HTML by providing a crafted URI to JavaScript code generated by the asdoc component. | |||
| CVE-2015-0225 | 0.01 | — | 0.07 | Apr 3, 2015 | The default configuration in Apache Cassandra 1.2.0 through 1.2.19, 2.0.0 through 2.0.13, and 2.1.0 through 2.1.3 binds an unauthenticated JMX/RMI interface to all network interfaces, which allows remote attackers to execute arbitrary Java code via an RMI request. | |||
| CVE-2015-0250 | 0.01 | — | 0.17 | Mar 24, 2015 | XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file. | |||
| CVE-2015-0254 | 0.01 | — | 0.13 | Mar 9, 2015 | Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag. | |||
| CVE-2015-0227 | 0.01 | — | 0.08 | Feb 12, 2015 | Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attackers to bypass the requireSignedEncryptedDataElements configuration via a vectors related to "wrapping attacks." | |||
| CVE-2015-0223 | 0.01 | — | 0.07 | Feb 2, 2015 | Unspecified vulnerability in Apache Qpid 0.30 and earlier allows remote attackers to bypass access restrictions on qpidd via unknown vectors, related to 0-10 connection handling. | |||
| CVE-2014-9527 | 0.01 | — | 0.08 | Jan 6, 2015 | HSLFSlideShow in Apache POI before 3.11 allows remote attackers to cause a denial of service (infinite loop and deadlock) via a crafted PPT file. | |||
| CVE-2014-8108 | 0.01 | — | 0.10 | Dec 18, 2014 | The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.7.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a request for a URI that triggers a lookup for a virtual transaction name… | |||
| CVE-2014-3580 | 0.01 | — | 0.11 | Dec 18, 2014 | The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist. | |||
| CVE-2014-3583 | 0.01 | — | 0.11 | Dec 15, 2014 | The handle_headers function in mod_proxy_fcgi.c in the mod_proxy_fcgi module in the Apache HTTP Server 2.4.10 allows remote FastCGI servers to cause a denial of service (buffer over-read and daemon crash) via long response headers. | |||
| CVE-2014-3629 | 0.01 | — | 0.07 | Nov 17, 2014 | XML external entity (XXE) vulnerability in the XML Exchange module in Apache Qpid 0.30 allows remote attackers to cause outgoing HTTP connections via a crafted message. | |||
| CVE-2014-3623 | 0.01 | — | 0.09 | Oct 30, 2014 | Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing… | |||
| CVE-2014-3581 | 0.01 | — | 0.13 | Oct 10, 2014 | The cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache HTTP Server before 2.4.11 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty HTTP Content-Type header. | |||
| CVE-2013-4444 | 0.01 | — | 0.14 | Sep 12, 2014 | Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file. | |||
| CVE-2014-3574 | 0.01 | — | 0.07 | Sep 4, 2014 | Apache POI before 3.10.1 and 3.11.x before 3.11-beta2 allows remote attackers to cause a denial of service (CPU consumption and crash) via a crafted OOXML file, aka an XML Entity Expansion (XEE) attack. | |||
| CVE-2014-3575 | 0.01 | — | 0.10 | Aug 27, 2014 | The OLE preview generation in Apache OpenOffice before 4.1.1 and OpenOffice.org (OOo) might allow remote attackers to embed arbitrary data into documents via crafted OLE objects. | |||
| CVE-2014-3524 | 0.01 | — | 0.15 | Aug 26, 2014 | Apache OpenOffice before 4.1.1 allows remote attackers to execute arbitrary commands and possibly have other unspecified impact via a crafted Calc spreadsheet. | |||
| CVE-2014-0232 | 0.01 | — | 0.08 | Aug 22, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not… | |||
| CVE-2014-3528 | 0.01 | — | 0.07 | Aug 19, 2014 | Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before 1.8.10 uses an MD5 hash of the URL and authentication realm to store cached credentials, which makes it easier for remote servers to obtain the credentials via a crafted authentication realm. | |||
| CVE-2014-3523 | 0.01 | — | 0.16 | Jul 20, 2014 | Memory leak in the winnt_accept function in server/mpm/winnt/child.c in the WinNT MPM in the Apache HTTP Server 2.4.x before 2.4.10 on Windows, when the default AcceptFilter is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted… | |||
| CVE-2013-4352 | 0.01 | — | 0.12 | Jul 20, 2014 | The cache_invalidate function in modules/cache/cache_storage.c in the mod_cache module in the Apache HTTP Server 2.4.6, when a caching forward proxy is enabled, allows remote HTTP servers to cause a denial of service (NULL pointer dereference and daemon crash) via vectors that… | |||
| CVE-2012-1621 | 0.01 | — | 0.10 | Jun 19, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.02 allow remote attackers to inject arbitrary web script or HTML via (1) a parameter array in freemarker templates, the (2) contentId or (3) mapKey parameter… |
- CVE-2019-0189Sep 11, 2019risk 0.01cvss —epss 0.24
The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the "webtools/control/httpService" URL, and uses Java deserialization to perform code execution. In the HttpEngine, the value of the request parameter "serviceContext" is…
- CVE-2019-0196Jun 11, 2019risk 0.01cvss —epss 0.19
A vulnerability was found in Apache HTTP Server 2.4.17 to 2.4.38. Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparison when determining the method of a request and thus process the request incorrectly.
- CVE-2019-0194Apr 30, 2019risk 0.01cvss —epss 0.08
Apache Camel's File is vulnerable to directory traversal. Camel 2.21.0 to 2.21.3, 2.22.0 to 2.22.2, 2.23.0 and the unsupported Camel 2.x (2.19 and earlier) versions may be also affected.
- CVE-2019-0228Apr 17, 2019risk 0.01cvss —epss 0.09
Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF.
- CVE-2018-11803Feb 5, 2019risk 0.01cvss —epss 0.58
Subversion's mod_dav_svn Apache HTTPD module versions 1.11.0 and 1.10.0 to 1.10.3 will crash after dereferencing an uninitialized pointer if the client omits the root path in a recursive directory listing operation.
- CVE-2018-17199Jan 30, 2019risk 0.01cvss —epss 0.20
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.
- CVE-2018-17189Jan 30, 2019risk 0.01cvss —epss 0.19
In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections.
- risk 0.01cvss 5.3epss 0.09
Pages that are rendered using the ESI plugin can have access to the cookie header when the plugin is configured not to allow access. This affects Apache Traffic Server (ATS) versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to…
- risk 0.01cvss 7.5epss 0.07
A carefully crafted invalid TLS handshake can cause Apache Traffic Server (ATS) to segfault. This affects version 6.2.2. To resolve this issue users running 6.2.2 should upgrade to 6.2.3 or later versions.
- risk 0.01cvss 5.3epss 0.07
When there are multiple ranges in a range request, Apache Traffic Server (ATS) will read the entire object from cache. This can cause performance problems with large objects in cache. This affects versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running…
- risk 0.01cvss 6.5epss 0.06
There are multiple HTTP smuggling and cache poisoning issues when clients making malicious requests interact with Apache Traffic Server (ATS). This affects versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later…
- risk 0.01cvss 7.5epss 0.08
Adding method ACLs in remap.config can cause a segfault when the user makes a carefully crafted request. This affects versions Apache Traffic Server (ATS) 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x…
- risk 0.01cvss 9.8epss 0.07
In Docker Skeleton Runtime for Apache OpenWhisk, a Docker action inheriting the Docker tag openwhisk/dockerskeleton:1.3.0 (or earlier) may allow an attacker to replace the user function inside the container if the user code is vulnerable to code exploitation.
- risk 0.01cvss 9.8epss 0.08
In PHP Runtime for Apache OpenWhisk, a Docker action inheriting one of the Docker tags openwhisk/action-php-v7.2:1.0.0 or openwhisk/action-php-v7.1:1.0.1 (or earlier) may allow an attacker to replace the user function inside the container if the user code is vulnerable to code…
- CVE-2015-5214Nov 10, 2015risk 0.01cvss —epss 0.10
LibreOffice before 4.4.6 and 5.x before 5.0.1 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denial of service (memory corruption and application crash) or execute arbitrary code via an index to a non-existent bookmark in a DOC file.
- CVE-2015-5213Nov 10, 2015risk 0.01cvss —epss 0.13
Integer overflow in LibreOffice before 4.4.5 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a long DOC file, which triggers a buffer overflow.
- CVE-2015-5212Nov 10, 2015risk 0.01cvss —epss 0.09
Integer underflow in LibreOffice before 4.4.5 and Apache OpenOffice before 4.1.2, when the configuration setting "Load printer settings with the document" is enabled, allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly…
- CVE-2015-4551Nov 10, 2015risk 0.01cvss —epss 0.14
LibreOffice before 4.4.5 and Apache OpenOffice before 4.1.2 uses the stored LinkUpdateMode configuration information in OpenDocument Format files and templates when handling links, which might allow remote attackers to obtain sensitive information via a crafted document, which…
- CVE-2015-3269Aug 25, 2015risk 0.01cvss —epss 0.10
Apache Flex BlazeDS, as used in flex-messaging-core.jar in Adobe LiveCycle Data Services (LCDS) 3.0.x before 3.0.0.354170, 4.5 before 4.5.1.354169, 4.6.2 before 4.6.2.354169, and 4.7 before 4.7.0.354169 and other products, allows remote attackers to read arbitrary files via an…
- CVE-2015-3187Aug 12, 2015risk 0.01cvss —epss 0.06
The svn_repos_trace_node_locations function in Apache Subversion before 1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used, allows remote authenticated users to obtain sensitive path information by reading the history of a node that has been moved from a…
- CVE-2015-3184Aug 12, 2015risk 0.01cvss —epss 0.11
mod_authz_svn in Apache Subversion 1.7.x before 1.7.21 and 1.8.x before 1.8.14, when using Apache httpd 2.4.x, does not properly restrict anonymous access, which allows remote anonymous users to read hidden files via the path name.
- CVE-2014-7810Jun 7, 2015risk 0.01cvss —epss 0.14
The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager…
- CVE-2015-2944Jun 2, 2015risk 0.01cvss —epss 0.06
Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2)…
- CVE-2015-1774Apr 28, 2015risk 0.01cvss —epss 0.08
The HWP filter in LibreOffice before 4.3.7 and 4.4.x before 4.4.2 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted HWP document, which triggers an out-of-bounds write.
- CVE-2014-8111Apr 21, 2015risk 0.01cvss —epss 0.07
Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount rules for subtrees of previous JkMount rules, which allows remote attackers to access otherwise restricted artifacts via unspecified vectors.
- CVE-2015-0251Apr 8, 2015risk 0.01cvss —epss 0.08
The mod_dav_svn server in Subversion 1.5.0 through 1.7.19 and 1.8.0 through 1.8.11 allows remote authenticated users to spoof the svn:author property via a crafted v1 HTTP protocol request sequences.
- CVE-2015-0248Apr 8, 2015risk 0.01cvss —epss 0.13
The (1) mod_dav_svn and (2) svnserve servers in Subversion 1.6.0 through 1.7.19 and 1.8.0 through 1.8.11 allow remote attackers to cause a denial of service (assertion failure and abort) via crafted parameter combinations related to dynamically evaluated revision numbers.
- CVE-2015-0202Apr 8, 2015risk 0.01cvss —epss 0.08
The mod_dav_svn server in Subversion 1.8.0 through 1.8.11 allows remote attackers to cause a denial of service (memory consumption) via a large number of REPORT requests, which trigger the traversal of FSFS repository nodes.
- CVE-2015-1773Apr 8, 2015risk 0.01cvss —epss 0.07
Cross-site scripting (XSS) vulnerability in asdoc/templates/index.html in Apache Flex before 4.14.1 allows remote attackers to inject arbitrary web script or HTML by providing a crafted URI to JavaScript code generated by the asdoc component.
- CVE-2015-0225Apr 3, 2015risk 0.01cvss —epss 0.07
The default configuration in Apache Cassandra 1.2.0 through 1.2.19, 2.0.0 through 2.0.13, and 2.1.0 through 2.1.3 binds an unauthenticated JMX/RMI interface to all network interfaces, which allows remote attackers to execute arbitrary Java code via an RMI request.
- CVE-2015-0250Mar 24, 2015risk 0.01cvss —epss 0.17
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
- CVE-2015-0254Mar 9, 2015risk 0.01cvss —epss 0.13
Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag.
- CVE-2015-0227Feb 12, 2015risk 0.01cvss —epss 0.08
Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attackers to bypass the requireSignedEncryptedDataElements configuration via a vectors related to "wrapping attacks."
- CVE-2015-0223Feb 2, 2015risk 0.01cvss —epss 0.07
Unspecified vulnerability in Apache Qpid 0.30 and earlier allows remote attackers to bypass access restrictions on qpidd via unknown vectors, related to 0-10 connection handling.
- CVE-2014-9527Jan 6, 2015risk 0.01cvss —epss 0.08
HSLFSlideShow in Apache POI before 3.11 allows remote attackers to cause a denial of service (infinite loop and deadlock) via a crafted PPT file.
- CVE-2014-8108Dec 18, 2014risk 0.01cvss —epss 0.10
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.7.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a request for a URI that triggers a lookup for a virtual transaction name…
- CVE-2014-3580Dec 18, 2014risk 0.01cvss —epss 0.11
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.
- CVE-2014-3583Dec 15, 2014risk 0.01cvss —epss 0.11
The handle_headers function in mod_proxy_fcgi.c in the mod_proxy_fcgi module in the Apache HTTP Server 2.4.10 allows remote FastCGI servers to cause a denial of service (buffer over-read and daemon crash) via long response headers.
- CVE-2014-3629Nov 17, 2014risk 0.01cvss —epss 0.07
XML external entity (XXE) vulnerability in the XML Exchange module in Apache Qpid 0.30 allows remote attackers to cause outgoing HTTP connections via a crafted message.
- CVE-2014-3623Oct 30, 2014risk 0.01cvss —epss 0.09
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing…
- CVE-2014-3581Oct 10, 2014risk 0.01cvss —epss 0.13
The cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache HTTP Server before 2.4.11 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty HTTP Content-Type header.
- CVE-2013-4444Sep 12, 2014risk 0.01cvss —epss 0.14
Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file.
- CVE-2014-3574Sep 4, 2014risk 0.01cvss —epss 0.07
Apache POI before 3.10.1 and 3.11.x before 3.11-beta2 allows remote attackers to cause a denial of service (CPU consumption and crash) via a crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
- CVE-2014-3575Aug 27, 2014risk 0.01cvss —epss 0.10
The OLE preview generation in Apache OpenOffice before 4.1.1 and OpenOffice.org (OOo) might allow remote attackers to embed arbitrary data into documents via crafted OLE objects.
- CVE-2014-3524Aug 26, 2014risk 0.01cvss —epss 0.15
Apache OpenOffice before 4.1.1 allows remote attackers to execute arbitrary commands and possibly have other unspecified impact via a crafted Calc spreadsheet.
- CVE-2014-0232Aug 22, 2014risk 0.01cvss —epss 0.08
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not…
- CVE-2014-3528Aug 19, 2014risk 0.01cvss —epss 0.07
Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before 1.8.10 uses an MD5 hash of the URL and authentication realm to store cached credentials, which makes it easier for remote servers to obtain the credentials via a crafted authentication realm.
- CVE-2014-3523Jul 20, 2014risk 0.01cvss —epss 0.16
Memory leak in the winnt_accept function in server/mpm/winnt/child.c in the WinNT MPM in the Apache HTTP Server 2.4.x before 2.4.10 on Windows, when the default AcceptFilter is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted…
- CVE-2013-4352Jul 20, 2014risk 0.01cvss —epss 0.12
The cache_invalidate function in modules/cache/cache_storage.c in the mod_cache module in the Apache HTTP Server 2.4.6, when a caching forward proxy is enabled, allows remote HTTP servers to cause a denial of service (NULL pointer dereference and daemon crash) via vectors that…
- CVE-2012-1621Jun 19, 2014risk 0.01cvss —epss 0.10
Multiple cross-site scripting (XSS) vulnerabilities in Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.02 allow remote attackers to inject arbitrary web script or HTML via (1) a parameter array in freemarker templates, the (2) contentId or (3) mapKey parameter…
Page 22 of 52