Filtered by vendor Apache
Subscriptions
Total
2434 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2016-8751 | 1 Apache | 1 Ranger | 2025-04-20 | N/A |
| Apache Ranger before 0.6.3 is vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies. | ||||
| CVE-2016-6805 | 1 Apache | 1 Ignite | 2025-04-20 | N/A |
| Apache Ignite before 1.9 allows man-in-the-middle attackers to read arbitrary files via XXE in modified update-notifier documents. | ||||
| CVE-2016-6804 | 2 Apache, Microsoft | 2 Openoffice, Windows | 2025-04-20 | 7.8 High |
| The Apache OpenOffice installer (versions prior to 4.1.3, including some branded as OpenOffice.org) for Windows contains a defective operation that allows execution of arbitrary code with elevated privileges. This requires that the location in which the installer is run has been previously poisoned by a file that impersonates a dynamic-link library that the installer depends upon. | ||||
| CVE-2016-6806 | 1 Apache | 1 Wicket | 2025-04-20 | N/A |
| Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was provided. Furthermore, not all Wicket server side targets were subjected to the CSRF check. This was also fixed. | ||||
| CVE-2014-0073 | 1 Apache | 2 Cordova, Cordova In-app-browser | 2025-04-20 | N/A |
| The CDVInAppBrowser class in the Apache Cordova In-App-Browser standalone plugin (org.apache.cordova.inappbrowser) before 0.3.2 for iOS and the In-App-Browser plugin for iOS from Cordova 2.6.0 through 2.9.0 does not properly validate callback identifiers, which allows remote attackers to execute arbitrary JavaScript in the host page and consequently gain privileges via a crafted gap-iab: URI. | ||||
| CVE-2012-4449 | 1 Apache | 1 Hadoop | 2025-04-20 | N/A |
| Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for context-dependent attackers to crack secret keys via a brute-force attack. | ||||
| CVE-2016-6807 | 1 Apache | 1 Ambari | 2025-04-20 | N/A |
| Custom commands may be executed on Ambari Agent (2.4.x, before 2.4.2) hosts without authorization, leading to unauthorized access to operations that may affect the underlying system. Such operations are invoked by the Ambari Agent process on Ambari Agent hosts, as the user executing the Ambari Agent process. | ||||
| CVE-2016-8734 | 2 Apache, Debian | 2 Subversion, Debian Linux | 2025-04-20 | N/A |
| Apache Subversion's mod_dontdothat module and HTTP clients 1.4.0 through 1.8.16, and 1.9.0 through 1.9.4 are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. The attack can cause the targeted process to consume an excessive amount of CPU resources or memory. | ||||
| CVE-2017-7666 | 1 Apache | 1 Openmeetings | 2025-04-20 | N/A |
| Apache OpenMeetings 1.0.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks, XSS attacks, click-jacking, and MIME based attacks. | ||||
| CVE-2016-6809 | 1 Apache | 2 Nutch, Tika | 2025-04-20 | 9.8 Critical |
| Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization. | ||||
| CVE-2014-0030 | 1 Apache | 1 Roller | 2025-04-20 | N/A |
| The XML-RPC protocol support in Apache Roller before 5.0.3 allows attackers to conduct XML External Entity (XXE) attacks via unspecified vectors. | ||||
| CVE-2016-6798 | 1 Apache | 1 Sling | 2025-04-20 | N/A |
| In the XSS Protection API module before 1.0.12 in Apache Sling, the method XSS.getValidXML() uses an insecure SAX parser to validate the input string, which allows for XXE attacks in all scripts which use this method to validate user input, potentially allowing an attacker to read sensitive data on the filesystem, perform same-site-request-forgery (SSRF), port-scanning behind the firewall or DoS the application. | ||||
| CVE-2016-6793 | 1 Apache | 1 Wicket | 2025-04-20 | N/A |
| The DiskFileItem class in Apache Wicket 6.x before 6.25.0 and 1.5.x before 1.5.17 allows remote attackers to cause a denial of service (infinite loop) and write to, move, and delete files with the permissions of DiskFileItem, and if running on a Java VM before 1.3.1, execute arbitrary code via a crafted serialized Java object. | ||||
| CVE-2014-0043 | 1 Apache | 1 Wicket | 2025-04-20 | N/A |
| In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use. | ||||
| CVE-2016-6795 | 1 Apache | 1 Struts | 2025-04-20 | N/A |
| In the Convention plugin in Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side. | ||||
| CVE-2016-6799 | 1 Apache | 1 Cordova | 2025-04-20 | N/A |
| Product: Apache Cordova Android 5.2.2 and earlier. The application calls methods of the Log class. Messages passed to these methods (Log.v(), Log.d(), Log.i(), Log.w(), and Log.e()) are stored in a series of circular buffers on the device. By default, a maximum of four 16 KB rotated logs are kept in addition to the current log. The logged data can be read using Logcat on the device. When using platforms prior to Android 4.1 (Jelly Bean), the log data is not sandboxed per application; any application installed on the device has the capability to read data logged by other applications. | ||||
| CVE-2016-5394 | 1 Apache | 1 Sling | 2025-04-20 | 6.1 Medium |
| In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities. | ||||
| CVE-2012-0881 | 1 Apache | 1 Xerces2 Java | 2025-04-20 | N/A |
| Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions. | ||||
| CVE-2016-5396 | 1 Apache | 1 Traffic Server | 2025-04-20 | N/A |
| Apache Traffic Server 6.0.0 to 6.2.0 are affected by an HPACK Bomb Attack. | ||||
| CVE-2016-5004 | 1 Apache | 1 Ws-xmlrpc | 2025-04-20 | N/A |
| The Content-Encoding HTTP header feature in ws-xmlrpc 3.1.3 as used in Apache Archiva allows remote attackers to cause a denial of service (resource consumption) by decompressing a large file containing zeroes. | ||||