ReportizFlow
Filtered by vendor Apache
Subscriptions
Total
2895 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2016-3089 | 1 Apache | 1 Openmeetings | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in the SWF panel in Apache OpenMeetings before 3.1.2 allows remote attackers to inject arbitrary web script or HTML via the swf parameter. | ||||
| CVE-2016-3087 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
| Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin. | ||||
| CVE-2016-3085 | 1 Apache | 1 Cloudstack | 2025-04-12 | N/A |
| Apache CloudStack 4.5.x before 4.5.2.1, 4.6.x before 4.6.2.1, 4.7.x before 4.7.1.1, and 4.8.x before 4.8.0.1, when SAML-based authentication is enabled and used, allow remote attackers to bypass authentication and access the user interface via vectors related to the SAML plugin. | ||||
| CVE-2016-3082 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
| XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter. | ||||
| CVE-2016-3081 | 2 Apache, Oracle | 2 Struts, Siebel E-billing | 2025-04-12 | N/A |
| Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions. | ||||
| CVE-2016-2099 | 2 Apache, Opensuse | 2 Xerces-c\+\+, Opensuse | 2025-04-12 | N/A |
| Use-after-free vulnerability in validators/DTD/DTDScanner.cpp in Apache Xerces C++ 3.1.3 and earlier allows context-dependent attackers to have unspecified impact via an invalid character in an XML document. | ||||
| CVE-2014-3584 | 2 Apache, Redhat | 2 Cxf, Jboss Fuse | 2025-04-12 | N/A |
| The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service. | ||||
| CVE-2015-3185 | 4 Apache, Apple, Canonical and 1 more | 8 Http Server, Mac Os X, Mac Os X Server and 5 more | 2025-04-12 | N/A |
| The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior. | ||||
| CVE-2014-0050 | 3 Apache, Oracle, Redhat | 16 Commons Fileupload, Tomcat, Retail Applications and 13 more | 2025-04-12 | N/A |
| MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions. | ||||
| CVE-2014-0035 | 2 Apache, Redhat | 7 Cxf, Jboss Amq, Jboss Bpms and 4 more | 2025-04-12 | N/A |
| The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the UsernameToken in cleartext, which allows remote attackers to obtain sensitive information by sniffing the network. | ||||
| CVE-2014-3581 | 4 Apache, Canonical, Oracle and 1 more | 12 Http Server, Ubuntu Linux, Enterprise Manager Ops Center and 9 more | 2025-04-12 | N/A |
| The cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache HTTP Server before 2.4.11 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty HTTP Content-Type header. | ||||
| CVE-2014-0034 | 2 Apache, Redhat | 7 Cxf, Jboss Amq, Jboss Bpms and 4 more | 2025-04-12 | N/A |
| The SecurityTokenService (STS) in Apache CXF before 2.6.12 and 2.7.x before 2.7.9 does not properly validate SAML tokens when caching is enabled, which allows remote attackers to gain access via an invalid SAML token. | ||||
| CVE-2013-7372 | 2 Apache, Google | 2 Harmony, Android | 2025-04-12 | N/A |
| The engineNextBytes function in classlib/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java in the SecureRandom implementation in Apache Harmony through 6.0M3, as used in the Java Cryptography Architecture (JCA) in Android before 4.4 and other products, when no seed is provided by the user, uses an incorrect offset value, which makes it easier for attackers to defeat cryptographic protection mechanisms by leveraging the resulting PRNG predictability, as exploited in the wild against Bitcoin wallet applications in August 2013. | ||||
| CVE-2016-2175 | 3 Apache, Debian, Redhat | 7 Pdfbox, Debian Linux, Jboss Amq and 4 more | 2025-04-12 | N/A |
| Apache PDFBox before 1.8.12 and 2.x before 2.0.1 does not properly initialize the XML parsers, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted PDF. | ||||
| CVE-2016-2171 | 1 Apache | 1 Jetspeed | 2025-04-12 | N/A |
| The User Manager service in Apache Jetspeed before 2.3.1 does not properly restrict access using Jetspeed Security, which allows remote attackers to (1) add, (2) edit, or (3) delete users via the REST API. | ||||
| CVE-2016-2167 | 1 Apache | 1 Subversion | 2025-04-12 | N/A |
| The canonicalize_username function in svnserve/cyrus_auth.c in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4, when Cyrus SASL authentication is used, allows remote attackers to authenticate and bypass intended access restrictions via a realm string that is a prefix of an expected repository realm string. | ||||
| CVE-2016-2166 | 3 Apache, Fedoraproject, Redhat | 4 Qpid Proton, Fedora, Satellite and 1 more | 2025-04-12 | N/A |
| The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors. | ||||
| CVE-2016-2163 | 1 Apache | 1 Openmeetings | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in Apache OpenMeetings before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via the event description when creating an event. | ||||
| CVE-2016-2162 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
| Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display. | ||||
| CVE-2014-3577 | 2 Apache, Redhat | 18 Httpasyncclient, Httpclient, Enterprise Linux and 15 more | 2025-04-12 | N/A |
| org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field. | ||||