Skip to main content

Apache

2551 CVEs vendor

Monthly

CVE-2015-3270 MEDIUM This Month

Apache Ambari before 2.0.2 or 2.1.x before 2.1.1 allows remote authenticated users to gain administrative privileges via unspecified vectors, possibly related to changing passwords. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Ambari
NVD
CVSS 2.0
6.5
EPSS
0.8%
CVE-2015-3186 LOW Monitor

Cross-site scripting (XSS) vulnerability in Apache Ambari before 2.1.0 allows remote authenticated cluster operator users to inject arbitrary web script or HTML via the note field in a configuration. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. No vendor patch available.

XSS Apache Ambari
NVD
CVSS 2.0
3.5
EPSS
0.2%
CVE-2015-1775 Maven MEDIUM PATCH This Month

Server-side request forgery (SSRF) vulnerability in the proxy endpoint (api/v1/proxy) in Apache Ambari before 2.1.0 allows remote authenticated users to conduct port scans and access unsecured. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity.

SSRF Apache Ambari
NVD
CVSS 2.0
5.5
EPSS
0.2%
CVE-2015-5262 Maven MEDIUM PATCH This Month

http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Denial Of Service Java Apache Ubuntu Linux Fedora +1
NVD
CVSS 2.0
4.3
EPSS
1.6%
CVE-2015-3269 MEDIUM PATCH This Month

Apache Flex BlazeDS, as used in flex-messaging-core.jar in Adobe LiveCycle Data Services (LCDS) 3.0.x before 3.0.0.354170, 4.5 before 4.5.1.354169, 4.6.2 before 4.6.2.354169, and 4.7 before. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 13.3%.

Adobe XXE Information Disclosure Apache Business Service Management +1
NVD
CVSS 2.0
5.0
EPSS
13.3%
CVE-2015-6524 Maven MEDIUM PATCH This Month

The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows wildcard operators in usernames, which allows remote. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Apache Java Authentication Bypass Fedora Activemq
NVD
CVSS 2.0
5.0
EPSS
1.2%
CVE-2014-3612 Maven HIGH PATCH This Week

The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows remote attackers to bypass authentication by logging in with. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Apache Java Authentication Bypass Activemq
NVD
CVSS 2.0
7.5
EPSS
0.7%
CVE-2014-1972 Maven HIGH PATCH This Week

Apache Tapestry before 5.3.6 relies on client-side object storage without checking whether a client has modified an object, which allows remote attackers to cause a denial of service (resource. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity.

RCE Denial Of Service Apache Tapestry
NVD
CVSS 2.0
7.8
EPSS
8.8%
CVE-2015-1830 Maven MEDIUM POC PATCH THREAT This Month

Directory traversal vulnerability in the fileserver upload/download functionality for blob messages in Apache ActiveMQ 5.x before 5.11.2 for Windows allows remote attackers to create JSP files in. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 86.0%.

Path Traversal Apache Microsoft Activemq
NVD Exploit-DB
CVSS 2.0
5.0
EPSS
86.0%
Threat
5.1
CVE-2015-5506 MEDIUM PATCH This Month

The Apache Solr Real-Time module 7.x-1.x before 7.x-1.2 for Drupal does not check the status of an entity when indexing, which allows remote attackers to obtain information about unpublished content. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Apache Apache Solr Real Time
NVD
CVSS 2.0
5.0
EPSS
0.5%
CVE-2015-5501 HIGH This Week

The Hostmaster (Aegir) module 6.x-2.x before 6.x-2.4 and 7.x-3.x before 7.x-3.0-beta2 for Drupal allows remote attackers to execute arbitrary PHP code via a crafted file in the directory used to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE PHP Apache Hostmaster
NVD
CVSS 2.0
7.5
EPSS
0.7%
CVE-2014-3576 Maven HIGH PATCH Act Now

The processControlCommand function in broker/TransportConnection.java in Apache ActiveMQ before 5.11.0 allows remote attackers to cause a denial of service (shutdown) via a shutdown command. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 40.7%.

Denial Of Service Privilege Escalation Java Apache Activemq +2
NVD GitHub
CVSS 3.0
7.5
EPSS
40.7%
CVE-2015-3253 Maven CRITICAL PATCH Act Now

The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 69.7%.

RCE Denial Of Service Java Apache Groovy +5
NVD
CVSS 3.0
9.8
EPSS
69.7%
Threat
4.1
CVE-2015-3187 MEDIUM This Month

The svn_repos_trace_node_locations function in Apache Subversion before 1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used, allows remote authenticated users to obtain sensitive. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Apache Subversion Xcode
NVD
CVSS 2.0
4.0
EPSS
0.9%
CVE-2015-3184 MEDIUM This Month

mod_authz_svn in Apache Subversion 1.7.x before 1.7.21 and 1.8.x before 1.8.14, when using Apache httpd 2.4.x, does not properly restrict anonymous access, which allows remote anonymous users to read. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 17.0% and no vendor patch available.

Information Disclosure Apache Xcode Subversion
NVD
CVSS 2.0
5.0
EPSS
17.0%
CVE-2015-3185 MEDIUM This Month

The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation Apache Ubuntu Linux Http Server Xcode +3
NVD GitHub
CVSS 2.0
4.3
EPSS
9.5%
CVE-2015-3183 MEDIUM PATCH This Month

The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 28.3%.

Information Disclosure Apache Http Server Apache HTTP Server
NVD GitHub
CVSS 2.0
5.0
EPSS
28.3%
CVE-2015-0253 MEDIUM This Month

The read_request_line function in server/protocol.c in the Apache HTTP Server 2.4.12 does not initialize the protocol structure member, which allows remote attackers to cause a denial of service. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 10.6% and no vendor patch available.

Denial Of Service Apache Http Server Mac Os X Mac Os X Server +3
NVD GitHub
CVSS 2.0
5.0
EPSS
10.6%
CVE-2015-1831 Maven HIGH PATCH This Week

The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Apache Struts
NVD
CVSS 2.0
7.5
EPSS
4.5%
CVE-2015-3675 MEDIUM PATCH This Month

The default configuration of the Apache HTTP Server on Apple OS X before 10.10.4 does not enable the mod_hfs_apple module, which allows remote attackers to bypass HTTP authentication via a crafted. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Apache Apple Authentication Bypass Mac Os X
NVD
CVSS 2.0
5.0
EPSS
0.3%
CVE-2015-4606 HIGH PATCH This Week

Unrestricted file upload vulnerability in the Job Fair (jobfair) extension before 1.0.1 for TYPO3, when using Apache with mod_mime, allows remote attackers to execute arbitrary code by uploading a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

RCE File Upload Apache Job Fair
NVD
CVSS 2.0
7.5
EPSS
1.7%
CVE-2015-3330 MEDIUM POC PATCH THREAT This Month

The php_handler function in sapi/apache2handler/sapi_apache2.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, when the Apache HTTP Server 2.4.x is used, allows remote attackers to. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 39.0%.

RCE PHP Denial Of Service Apache Linux +9
NVD
CVSS 2.0
6.8
EPSS
39.0%
Threat
4.0
CVE-2014-7810 Maven MEDIUM PATCH This Month

The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Apache Tomcat Authentication Bypass Debian Linux
NVD
CVSS 2.0
5.0
EPSS
9.5%
CVE-2014-0230 Maven HIGH PATCH This Week

Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity.

Tomcat Denial Of Service Apache Virtualization
NVD
CVSS 2.0
7.8
EPSS
3.1%
CVE-2015-0264 Maven MEDIUM PATCH This Month

Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

XXE Java Apache Camel
NVD
CVSS 2.0
5.0
EPSS
2.0%
CVE-2015-0263 Maven MEDIUM PATCH This Month

XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

XXE Java Apache Camel
NVD
CVSS 2.0
5.0
EPSS
2.6%
CVE-2015-2944 Maven MEDIUM POC PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

XSS Apache Sling Api Sling Servlets Post
NVD
CVSS 2.0
4.3
EPSS
2.9%
CVE-2015-1833 Maven MEDIUM POC PATCH THREAT This Month

XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 31.0%.

XXE Apache Jackrabbit
NVD Exploit-DB
CVSS 2.0
6.4
EPSS
31.0%
CVE-2015-1774 MEDIUM This Month

The HWP filter in LibreOffice before 4.3.7 and 4.4.x before 4.4.2 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Memory Corruption Denial Of Service Buffer Overflow RCE Apache +8
NVD
CVSS 2.0
6.8
EPSS
9.7%
CVE-2014-8111 MEDIUM This Month

Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount rules for subtrees of previous JkMount rules, which allows remote attackers to access otherwise restricted artifacts via unspecified. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat Information Disclosure Apache Tomcat Connectors
NVD
CVSS 2.0
5.0
EPSS
3.7%
CVE-2015-1773 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in asdoc/templates/index.html in Apache Flex before 4.14.1 allows remote attackers to inject arbitrary web script or HTML by providing a crafted URI to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XSS Apache Flex
NVD
CVSS 2.0
4.3
EPSS
1.3%
CVE-2015-0225 Maven HIGH PATCH This Week

The default configuration in Apache Cassandra 1.2.0 through 1.2.19, 2.0.0 through 2.0.13, and 2.1.0 through 2.1.3 binds an unauthenticated JMX/RMI interface to all network interfaces, which allows. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

Command Injection Java Apache Cassandra
NVD
CVSS 2.0
7.5
EPSS
0.7%
CVE-2015-0252 MEDIUM POC THREAT This Month

internal/XMLReader.cpp in Apache Xerces-C before 3.1.2 allows remote attackers to cause a denial of service (segmentation fault and crash) via crafted XML data. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 25.2%.

Denial Of Service Apache Debian Linux Fedora Xerces C
NVD Exploit-DB
CVSS 2.0
5.0
EPSS
25.2%
CVE-2015-0250 Maven MEDIUM POC PATCH This Month

XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Denial Of Service XXE Apache Ubuntu Linux Batik +1
NVD
CVSS 2.0
6.4
EPSS
1.5%
CVE-2015-0254 Maven HIGH PATCH This Week

Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

RCE XXE Apache Standard Taglibs Ubuntu Linux
NVD
CVSS 2.0
7.5
EPSS
3.8%
CVE-2015-0228 MEDIUM This Month

The lua_websocket_read function in lua_request.c in the mod_lua module in the Apache HTTP Server through 2.4.12 allows remote attackers to cause a denial of service (child-process crash) by sending a. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 18.7% and no vendor patch available.

Denial Of Service Apache Http Server Ubuntu Linux Mac Os X +3
NVD GitHub
CVSS 2.0
5.0
EPSS
18.7%
CVE-2014-2130 MEDIUM This Month

Cisco Secure Access Control Server (ACS) provides an unintentional administration web interface based on Apache Tomcat, which allows remote authenticated users to modify application files and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat RCE Cisco Privilege Escalation Apache +1
NVD
CVSS 2.0
6.5
EPSS
1.2%
CVE-2014-0227 Maven MEDIUM PATCH This Month

java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 78.2%.

Tomcat Denial Of Service Java Apache
NVD
CVSS 2.0
6.4
EPSS
78.2%
CVE-2015-0227 Maven MEDIUM PATCH This Month

Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attackers to bypass the requireSignedEncryptedDataElements configuration via a vectors related to "wrapping attacks.". Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 13.9%.

Privilege Escalation Apache Wss4J
NVD
CVSS 2.0
5.0
EPSS
13.9%
CVE-2014-8110 Maven MEDIUM PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in the web based administration console in Apache ActiveMQ 5.x before 5.10.1 allow remote attackers to inject arbitrary web script or HTML via. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Apache Activemq
NVD
CVSS 2.0
4.3
EPSS
3.9%
CVE-2015-0223 MEDIUM This Month

Unspecified vulnerability in Apache Qpid 0.30 and earlier allows remote attackers to bypass access restrictions on qpidd via unknown vectors, related to 0-10 connection handling. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Qpid
NVD
CVSS 2.0
5.0
EPSS
2.3%
CVE-2014-8152 Maven MEDIUM PATCH This Month

Apache Santuario XML Security for Java 2.0.x before 2.0.3 allows remote attackers to bypass the streaming XML signature protection mechanism via a crafted XML document. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Java Apache Santuario Xml Security For Java
NVD
CVSS 2.0
5.0
EPSS
2.1%
CVE-2014-9593 MEDIUM This Month

Apache CloudStack before 4.3.2 and 4.4.x before 4.4.2 allows remote attackers to obtain private keys via a listSslCerts API call. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Apache Cloudstack
NVD
CVSS 2.0
5.0
EPSS
2.7%
CVE-2014-10022 MEDIUM This Month

Apache Traffic Server before 5.1.2 allows remote attackers to cause a denial of service via unspecified vectors, related to internal buffer sizing. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Buffer Overflow Apache Traffic Server
NVD
CVSS 2.0
5.0
EPSS
2.7%
CVE-2014-9527 Maven MEDIUM PATCH This Month

HSLFSlideShow in Apache POI before 3.11 allows remote attackers to cause a denial of service (infinite loop and deadlock) via a crafted PPT file. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Apache Fedora Poi
NVD
CVSS 2.0
5.0
EPSS
1.2%
CVE-2014-3628 Maven MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the Admin UI Plugin / Stats page in Apache Solr 4.x before 4.10.3 allows remote attackers to inject arbitrary web script or HTML via the fieldvaluecache. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Apache Solr
NVD
CVSS 2.0
4.3
EPSS
1.4%
CVE-2014-8109 MEDIUM PATCH This Month

mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Epss exploitation probability 11.7%.

Apache Authentication Bypass Http Server Ubuntu Linux Fedora +2
NVD GitHub
CVSS 2.0
4.3
EPSS
11.7%
CVE-2014-8108 MEDIUM PATCH This Month

The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.7.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and crash). Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Apache Enterprise Linux Desktop Enterprise Linux Hpc Node Enterprise Linux Server +3
NVD
CVSS 2.0
5.0
EPSS
5.0%
CVE-2014-3580 MEDIUM PATCH This Month

The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 13.7%.

Denial Of Service Apache Enterprise Linux Desktop Enterprise Linux Hpc Node Enterprise Linux Server +5
NVD
CVSS 2.0
5.0
EPSS
13.7%
CVE-2014-8583 MEDIUM PATCH This Month

mod_wsgi before 4.2.4 for Apache, when creating a daemon process group, does not properly handle when group privileges cannot be dropped, which might allow attackers to gain privileges via. Rated medium severity (CVSS 6.9).

Information Disclosure Apache Mod Wsgi
NVD
CVSS 2.0
6.9
EPSS
0.1%
CVE-2014-3583 MEDIUM This Month

The handle_headers function in mod_proxy_fcgi.c in the mod_proxy_fcgi module in the Apache HTTP Server 2.4.10 allows remote FastCGI servers to cause a denial of service (buffer over-read and daemon. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 41.8% and no vendor patch available.

Denial Of Service Buffer Overflow Apache Mac Os X Os X Server +3
NVD
CVSS 2.0
5.0
EPSS
41.8%
CVE-2014-7809 Maven MEDIUM PATCH This Month

Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Apache Struts
NVD
CVSS 2.0
6.8
EPSS
7.5%
CVE-2014-7807 MEDIUM This Month

Apache CloudStack 4.3.x before 4.3.2 and 4.4.x before 4.4.2 allows remote attackers to bypass authentication via a login request without a password, which triggers an unauthenticated bind. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Cloudstack
NVD
CVSS 2.0
5.0
EPSS
0.4%
CVE-2014-3627 Maven MEDIUM PATCH This Month

The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 and 2.x before 2.5.2, when using Kerberos authentication, allows remote cluster users to change the permissions of certain files to. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Apache Hadoop
NVD
CVSS 2.0
5.0
EPSS
1.6%
CVE-2014-3629 MEDIUM This Month

XML external entity (XXE) vulnerability in the XML Exchange module in Apache Qpid 0.30 allows remote attackers to cause outgoing HTTP connections via a crafted message. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Apache XXE Microsoft Qpid
NVD
CVSS 2.0
4.3
EPSS
1.7%
CVE-2014-0228 Maven LOW PATCH Monitor

Apache Hive before 0.13.1, when in SQL standards based authorization mode, does not properly check the file permissions for (1) import and (2) export statements, which allows remote authenticated. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable.

Apache Authentication Bypass Hive
NVD
CVSS 2.0
3.5
EPSS
0.3%
CVE-2013-3737 MEDIUM PATCH This Month

The MobileUI (aka RT-Extension-MobileUI) extension before 1.04 in Request Tracker (RT) 4.0.0 before 4.0.13, when using the file-based session store (Apache::Session::File) and certain authentication. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Apache Request Tracker
NVD
CVSS 2.0
5.0
EPSS
0.3%
CVE-2014-3502 MEDIUM This Month

Apache Cordova Android before 3.5.1 allows remote attackers to open and send data to arbitrary applications via a URL with a crafted URI scheme for an Android intent. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Google Information Disclosure Apache Cordova
NVD
CVSS 2.0
4.3
EPSS
1.5%
CVE-2014-3501 MEDIUM This Month

Apache Cordova Android before 3.5.1 allows remote attackers to bypass the HTTP whitelist and connect to arbitrary servers by using JavaScript to open WebSocket connections through WebView. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Google Apache Cordova
NVD
CVSS 2.0
4.3
EPSS
1.7%
CVE-2014-3500 MEDIUM This Month

Apache Cordova Android before 3.5.1 allows remote attackers to change the start page via a crafted intent URL. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Google Information Disclosure Apache Cordova
NVD
CVSS 2.0
6.4
EPSS
1.2%
CVE-2014-8567 CRITICAL Act Now

The mod_auth_mellon module before 0.8.1 allows remote attackers to cause a denial of service (Apache HTTP server crash) via a crafted logout request that triggers a read of uninitialized data. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Apache Mod Auth Mellon Enterprise Linux Desktop Enterprise Linux Server +4
NVD GitHub
CVSS 2.0
9.4
EPSS
3.6%
CVE-2014-3623 Maven MEDIUM PATCH This Month

Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Apache Authentication Bypass Wss4J Cxf
NVD
CVSS 2.0
5.0
EPSS
2.5%
CVE-2014-3584 Maven MEDIUM PATCH This Month

The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Apache Cxf
NVD
CVSS 2.0
5.0
EPSS
5.6%
CVE-2014-3581 MEDIUM PATCH This Month

The cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache HTTP Server before 2.4.11 allows remote attackers to cause a denial of service (NULL pointer. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Denial Of Service Null Pointer Dereference Apache Http Server Ubuntu Linux +8
NVD
CVSS 2.0
5.0
EPSS
4.8%
CVE-2014-0074 HIGH POC This Week

Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Apache Authentication Bypass Shiro
NVD
CVSS 2.0
7.5
EPSS
0.3%
CVE-2014-6278 HIGH POC KEV PATCH THREAT Act Now

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Command Injection Apache SSH
NVD Exploit-DB VulDB
CVSS 3.1
8.8
EPSS
90.1%
Threat
7.5
CVE-2012-6107 MEDIUM This Month

Apache Axis2/C does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Apache Apache Axis2 C
NVD
CVSS 2.0
4.3
EPSS
3.4%
CVE-2014-6277 CRITICAL POC THREAT Emergency

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 86.8%.

Command Injection Denial Of Service SSH RCE Apache +1
NVD Exploit-DB
CVSS 2.0
10.0
EPSS
86.8%
Threat
6.1
CVE-2014-7169 CRITICAL POC KEV PATCH THREAT Act Now

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Command Injection Apache SSH
NVD Exploit-DB VulDB
CVSS 3.1
9.8
EPSS
90.1%
Threat
7.7
CVE-2014-6271 CRITICAL POC KEV PATCH THREAT Act Now

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Command Injection Apache SSH RCE
NVD Exploit-DB VulDB
CVSS 3.1
9.8
EPSS
94.2%
Threat
7.8
CVE-2013-4444 Maven MEDIUM PATCH This Month

Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Tomcat Code Injection File Upload RCE Apache
NVD
CVSS 2.0
6.8
EPSS
9.5%
CVE-2014-3574 Maven MEDIUM PATCH This Month

Apache POI before 3.10.1 and 3.11.x before 3.11-beta2 allows remote attackers to cause a denial of service (CPU consumption and crash) via a crafted OOXML file, aka an XML Entity Expansion (XEE). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Epss exploitation probability 11.1%.

Denial Of Service Apache Poi
NVD
CVSS 2.0
4.3
EPSS
11.1%
CVE-2014-3529 Maven MEDIUM PATCH This Month

The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XXE Apache Poi
NVD
CVSS 2.0
4.3
EPSS
5.2%
CVE-2012-6153 Maven MEDIUM PATCH This Month

http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Information Disclosure Java Apache Commons Httpclient
NVD
CVSS 2.0
4.3
EPSS
1.2%
CVE-2014-3596 Maven MEDIUM PATCH This Month

The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable.

Information Disclosure Apache Axis
NVD
CVSS 2.0
5.8
EPSS
1.2%
CVE-2014-3575 MEDIUM This Month

The OLE preview generation in Apache OpenOffice before 4.1.1 and OpenOffice.org (OOo) might allow remote attackers to embed arbitrary data into documents via crafted OLE objects. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Apache Enterprise Linux Desktop Enterprise Linux Server Enterprise Linux Workstation +2
NVD
CVSS 2.0
4.3
EPSS
9.9%
CVE-2014-3524 CRITICAL Act Now

Apache OpenOffice before 4.1.1 allows remote attackers to execute arbitrary commands and possibly have other unspecified impact via a crafted Calc spreadsheet. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. Epss exploitation probability 10.7% and no vendor patch available.

Command Injection Apache Openoffice Libreoffice
NVD
CVSS 2.0
9.3
EPSS
10.7%
CVE-2014-3525 CRITICAL Act Now

Unspecified vulnerability in Apache Traffic Server 3.x through 3.2.5, 4.x before 4.2.1.1, and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Apache Traffic Server
NVD
CVSS 2.0
10.0
EPSS
1.3%
CVE-2014-0232 MEDIUM PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Epss exploitation probability 12.6%.

XSS Apache Ofbiz
NVD
CVSS 2.0
4.3
EPSS
12.6%
CVE-2014-3577 Maven MEDIUM POC PATCH This Month

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Public exploit code available.

Information Disclosure Apache Httpclient Httpasyncclient
NVD
CVSS 2.0
5.8
EPSS
1.4%
CVE-2014-3528 MEDIUM This Month

Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before 1.8.10 uses an MD5 hash of the URL and authentication realm to store cached credentials, which makes it easier for remote servers. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable. No vendor patch available.

Apache Authentication Bypass Opensuse Subversion Ubuntu Linux +6
NVD
CVSS 2.0
4.0
EPSS
3.4%
CVE-2014-3522 MEDIUM PATCH This Month

The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18 and 1.8.x before 1.8.10 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X.509. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable.

Information Disclosure Apache Subversion Opensuse Ubuntu Linux +1
NVD
CVSS 2.0
4.0
EPSS
2.6%
CVE-2014-0103 LOW Monitor

WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. No vendor patch available.

PHP Information Disclosure Apache Webapp Zarafa +1
NVD
CVSS 2.0
2.1
EPSS
0.1%
CVE-2014-3523 MEDIUM PATCH This Month

Memory leak in the winnt_accept function in server/mpm/winnt/child.c in the WinNT MPM in the Apache HTTP Server 2.4.x before 2.4.10 on Windows, when the default AcceptFilter is enabled, allows remote. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 35.2%.

Apache Denial Of Service Microsoft Http Server Apache HTTP Server
NVD
CVSS 2.0
5.0
EPSS
35.2%
CVE-2014-0231 MEDIUM PATCH This Month

The mod_cgid module in the Apache HTTP Server before 2.4.10 does not have a timeout mechanism, which allows remote attackers to cause a denial of service (process hang) via a request to a CGI script. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 44.2%.

Denial Of Service Apache Http Server Apache HTTP Server
NVD
CVSS 2.0
5.0
EPSS
44.2%
CVE-2014-0226 MEDIUM POC PATCH THREAT This Month

Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 75.4%.

Race Condition Denial Of Service Buffer Overflow RCE Apache +6
NVD Exploit-DB
CVSS 2.0
6.8
EPSS
75.4%
Threat
5.1
CVE-2014-0118 MEDIUM PATCH This Month

The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when request body decompression is enabled, allows remote attackers to cause a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Epss exploitation probability 41.3%.

Denial Of Service Apache Http Server Debian Linux Jboss Enterprise Application Platform +1
NVD
CVSS 2.0
4.3
EPSS
41.3%
CVE-2014-0117 MEDIUM PATCH This Month

The mod_proxy module in the Apache HTTP Server 2.4.x before 2.4.10, when a reverse proxy is enabled, allows remote attackers to cause a denial of service (child-process crash) via a crafted HTTP. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Epss exploitation probability 57.0%.

Denial Of Service Apache Http Server Mac Os X Apache HTTP Server
NVD
CVSS 2.0
4.3
EPSS
57.0%
CVE-2013-4352 MEDIUM This Month

The cache_invalidate function in modules/cache/cache_storage.c in the mod_cache module in the Apache HTTP Server 2.4.6, when a caching forward proxy is enabled, allows remote HTTP servers to cause a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Epss exploitation probability 24.4% and no vendor patch available.

Denial Of Service Apache Http Server Apache HTTP Server
NVD
CVSS 2.0
4.3
EPSS
24.4%
CVE-2014-3503 Maven MEDIUM PATCH This Month

Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Apache Syncope
NVD
CVSS 2.0
5.0
EPSS
1.9%
EPSS 1% CVSS 6.5
MEDIUM This Month

Apache Ambari before 2.0.2 or 2.1.x before 2.1.1 allows remote authenticated users to gain administrative privileges via unspecified vectors, possibly related to changing passwords. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Ambari
NVD
EPSS 0% CVSS 3.5
LOW Monitor

Cross-site scripting (XSS) vulnerability in Apache Ambari before 2.1.0 allows remote authenticated cluster operator users to inject arbitrary web script or HTML via the note field in a configuration. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. No vendor patch available.

XSS Apache Ambari
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Server-side request forgery (SSRF) vulnerability in the proxy endpoint (api/v1/proxy) in Apache Ambari before 2.1.0 allows remote authenticated users to conduct port scans and access unsecured. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity.

SSRF Apache Ambari
NVD
EPSS 2% CVSS 4.3
MEDIUM PATCH This Month

http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Denial Of Service Java Apache +3
NVD
EPSS 13% CVSS 5.0
MEDIUM PATCH This Month

Apache Flex BlazeDS, as used in flex-messaging-core.jar in Adobe LiveCycle Data Services (LCDS) 3.0.x before 3.0.0.354170, 4.5 before 4.5.1.354169, 4.6.2 before 4.6.2.354169, and 4.7 before. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 13.3%.

Adobe XXE Information Disclosure +3
NVD
EPSS 1% CVSS 5.0
MEDIUM PATCH This Month

The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows wildcard operators in usernames, which allows remote. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Apache Java Authentication Bypass +2
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows remote attackers to bypass authentication by logging in with. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Apache Java Authentication Bypass +1
NVD
EPSS 9% CVSS 7.8
HIGH PATCH This Week

Apache Tapestry before 5.3.6 relies on client-side object storage without checking whether a client has modified an object, which allows remote attackers to cause a denial of service (resource. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity.

RCE Denial Of Service Apache +1
NVD
EPSS 86% 5.1 CVSS 5.0
MEDIUM POC PATCH THREAT This Month

Directory traversal vulnerability in the fileserver upload/download functionality for blob messages in Apache ActiveMQ 5.x before 5.11.2 for Windows allows remote attackers to create JSP files in. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 86.0%.

Path Traversal Apache Microsoft +1
NVD Exploit-DB
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

The Apache Solr Real-Time module 7.x-1.x before 7.x-1.2 for Drupal does not check the status of an entity when indexing, which allows remote attackers to obtain information about unpublished content. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Apache Apache Solr Real Time
NVD
EPSS 1% CVSS 7.5
HIGH This Week

The Hostmaster (Aegir) module 6.x-2.x before 6.x-2.4 and 7.x-3.x before 7.x-3.0-beta2 for Drupal allows remote attackers to execute arbitrary PHP code via a crafted file in the directory used to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE PHP Apache +1
NVD
EPSS 41% CVSS 7.5
HIGH PATCH Act Now

The processControlCommand function in broker/TransportConnection.java in Apache ActiveMQ before 5.11.0 allows remote attackers to cause a denial of service (shutdown) via a shutdown command. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 40.7%.

Denial Of Service Privilege Escalation Java +4
NVD GitHub
EPSS 70% 4.1 CVSS 9.8
CRITICAL PATCH Act Now

The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 69.7%.

RCE Denial Of Service Java +7
NVD
EPSS 1% CVSS 4.0
MEDIUM This Month

The svn_repos_trace_node_locations function in Apache Subversion before 1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used, allows remote authenticated users to obtain sensitive. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Apache Subversion +1
NVD
EPSS 17% CVSS 5.0
MEDIUM This Month

mod_authz_svn in Apache Subversion 1.7.x before 1.7.21 and 1.8.x before 1.8.14, when using Apache httpd 2.4.x, does not properly restrict anonymous access, which allows remote anonymous users to read. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 17.0% and no vendor patch available.

Information Disclosure Apache Xcode +1
NVD
EPSS 9% CVSS 4.3
MEDIUM This Month

The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation Apache Ubuntu Linux +5
NVD GitHub
EPSS 28% CVSS 5.0
MEDIUM PATCH This Month

The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 28.3%.

Information Disclosure Apache Http Server +1
NVD GitHub
EPSS 11% CVSS 5.0
MEDIUM This Month

The read_request_line function in server/protocol.c in the Apache HTTP Server 2.4.12 does not initialize the protocol structure member, which allows remote attackers to cause a denial of service. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 10.6% and no vendor patch available.

Denial Of Service Apache Http Server +5
NVD GitHub
EPSS 5% CVSS 7.5
HIGH PATCH This Week

The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Apache Struts
NVD
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

The default configuration of the Apache HTTP Server on Apple OS X before 10.10.4 does not enable the mod_hfs_apple module, which allows remote attackers to bypass HTTP authentication via a crafted. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Apache Apple Authentication Bypass +1
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Unrestricted file upload vulnerability in the Job Fair (jobfair) extension before 1.0.1 for TYPO3, when using Apache with mod_mime, allows remote attackers to execute arbitrary code by uploading a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

RCE File Upload Apache +1
NVD
EPSS 39% 4.0 CVSS 6.8
MEDIUM POC PATCH THREAT This Month

The php_handler function in sapi/apache2handler/sapi_apache2.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, when the Apache HTTP Server 2.4.x is used, allows remote attackers to. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 39.0%.

RCE PHP Denial Of Service +11
NVD
EPSS 9% CVSS 5.0
MEDIUM PATCH This Month

The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Apache Tomcat Authentication Bypass +1
NVD
EPSS 3% CVSS 7.8
HIGH PATCH This Week

Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity.

Tomcat Denial Of Service Apache +1
NVD
EPSS 2% CVSS 5.0
MEDIUM PATCH This Month

Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

XXE Java Apache +1
NVD
EPSS 3% CVSS 5.0
MEDIUM PATCH This Month

XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

XXE Java Apache +1
NVD
EPSS 3% CVSS 4.3
MEDIUM POC PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

XSS Apache Sling Api +1
NVD
EPSS 31% CVSS 6.4
MEDIUM POC PATCH THREAT This Month

XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 31.0%.

XXE Apache Jackrabbit
NVD Exploit-DB
EPSS 10% CVSS 6.8
MEDIUM This Month

The HWP filter in LibreOffice before 4.3.7 and 4.4.x before 4.4.2 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Memory Corruption Denial Of Service Buffer Overflow +10
NVD
EPSS 4% CVSS 5.0
MEDIUM This Month

Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount rules for subtrees of previous JkMount rules, which allows remote attackers to access otherwise restricted artifacts via unspecified. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat Information Disclosure Apache +1
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in asdoc/templates/index.html in Apache Flex before 4.14.1 allows remote attackers to inject arbitrary web script or HTML by providing a crafted URI to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XSS Apache Flex
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

The default configuration in Apache Cassandra 1.2.0 through 1.2.19, 2.0.0 through 2.0.13, and 2.1.0 through 2.1.3 binds an unauthenticated JMX/RMI interface to all network interfaces, which allows. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

Command Injection Java Apache +1
NVD
EPSS 25% CVSS 5.0
MEDIUM POC THREAT This Month

internal/XMLReader.cpp in Apache Xerces-C before 3.1.2 allows remote attackers to cause a denial of service (segmentation fault and crash) via crafted XML data. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 25.2%.

Denial Of Service Apache Debian Linux +2
NVD Exploit-DB
EPSS 1% CVSS 6.4
MEDIUM POC PATCH This Month

XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Denial Of Service XXE Apache +3
NVD
EPSS 4% CVSS 7.5
HIGH PATCH This Week

Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

RCE XXE Apache +2
NVD
EPSS 19% CVSS 5.0
MEDIUM This Month

The lua_websocket_read function in lua_request.c in the mod_lua module in the Apache HTTP Server through 2.4.12 allows remote attackers to cause a denial of service (child-process crash) by sending a. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 18.7% and no vendor patch available.

Denial Of Service Apache Http Server +5
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM This Month

Cisco Secure Access Control Server (ACS) provides an unintentional administration web interface based on Apache Tomcat, which allows remote authenticated users to modify application files and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat RCE Cisco +3
NVD
EPSS 78% CVSS 6.4
MEDIUM PATCH This Month

java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 78.2%.

Tomcat Denial Of Service Java +1
NVD
EPSS 14% CVSS 5.0
MEDIUM PATCH This Month

Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attackers to bypass the requireSignedEncryptedDataElements configuration via a vectors related to "wrapping attacks.". Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 13.9%.

Privilege Escalation Apache Wss4J
NVD
EPSS 4% CVSS 4.3
MEDIUM PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in the web based administration console in Apache ActiveMQ 5.x before 5.10.1 allow remote attackers to inject arbitrary web script or HTML via. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Apache Activemq
NVD
EPSS 2% CVSS 5.0
MEDIUM This Month

Unspecified vulnerability in Apache Qpid 0.30 and earlier allows remote attackers to bypass access restrictions on qpidd via unknown vectors, related to 0-10 connection handling. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Qpid
NVD
EPSS 2% CVSS 5.0
MEDIUM PATCH This Month

Apache Santuario XML Security for Java 2.0.x before 2.0.3 allows remote attackers to bypass the streaming XML signature protection mechanism via a crafted XML document. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Java Apache +1
NVD
EPSS 3% CVSS 5.0
MEDIUM This Month

Apache CloudStack before 4.3.2 and 4.4.x before 4.4.2 allows remote attackers to obtain private keys via a listSslCerts API call. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Apache Cloudstack
NVD
EPSS 3% CVSS 5.0
MEDIUM This Month

Apache Traffic Server before 5.1.2 allows remote attackers to cause a denial of service via unspecified vectors, related to internal buffer sizing. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Buffer Overflow Apache +1
NVD
EPSS 1% CVSS 5.0
MEDIUM PATCH This Month

HSLFSlideShow in Apache POI before 3.11 allows remote attackers to cause a denial of service (infinite loop and deadlock) via a crafted PPT file. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Apache Fedora +1
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the Admin UI Plugin / Stats page in Apache Solr 4.x before 4.10.3 allows remote attackers to inject arbitrary web script or HTML via the fieldvaluecache. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Apache Solr
NVD
EPSS 12% CVSS 4.3
MEDIUM PATCH This Month

mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Epss exploitation probability 11.7%.

Apache Authentication Bypass Http Server +4
NVD GitHub
EPSS 5% CVSS 5.0
MEDIUM PATCH This Month

The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.7.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and crash). Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Apache Enterprise Linux Desktop +5
NVD
EPSS 14% CVSS 5.0
MEDIUM PATCH This Month

The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 13.7%.

Denial Of Service Apache Enterprise Linux Desktop +7
NVD
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

mod_wsgi before 4.2.4 for Apache, when creating a daemon process group, does not properly handle when group privileges cannot be dropped, which might allow attackers to gain privileges via. Rated medium severity (CVSS 6.9).

Information Disclosure Apache Mod Wsgi
NVD
EPSS 42% CVSS 5.0
MEDIUM This Month

The handle_headers function in mod_proxy_fcgi.c in the mod_proxy_fcgi module in the Apache HTTP Server 2.4.10 allows remote FastCGI servers to cause a denial of service (buffer over-read and daemon. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 41.8% and no vendor patch available.

Denial Of Service Buffer Overflow Apache +5
NVD
EPSS 8% CVSS 6.8
MEDIUM PATCH This Month

Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Apache Struts
NVD
EPSS 0% CVSS 5.0
MEDIUM This Month

Apache CloudStack 4.3.x before 4.3.2 and 4.4.x before 4.4.2 allows remote attackers to bypass authentication via a login request without a password, which triggers an unauthenticated bind. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Cloudstack
NVD
EPSS 2% CVSS 5.0
MEDIUM PATCH This Month

The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 and 2.x before 2.5.2, when using Kerberos authentication, allows remote cluster users to change the permissions of certain files to. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Apache Hadoop
NVD
EPSS 2% CVSS 4.3
MEDIUM This Month

XML external entity (XXE) vulnerability in the XML Exchange module in Apache Qpid 0.30 allows remote attackers to cause outgoing HTTP connections via a crafted message. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Apache XXE Microsoft +1
NVD
EPSS 0% CVSS 3.5
LOW PATCH Monitor

Apache Hive before 0.13.1, when in SQL standards based authorization mode, does not properly check the file permissions for (1) import and (2) export statements, which allows remote authenticated. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable.

Apache Authentication Bypass Hive
NVD
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

The MobileUI (aka RT-Extension-MobileUI) extension before 1.04 in Request Tracker (RT) 4.0.0 before 4.0.13, when using the file-based session store (Apache::Session::File) and certain authentication. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Apache Request Tracker
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

Apache Cordova Android before 3.5.1 allows remote attackers to open and send data to arbitrary applications via a URL with a crafted URI scheme for an Android intent. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Google Information Disclosure Apache +1
NVD
EPSS 2% CVSS 4.3
MEDIUM This Month

Apache Cordova Android before 3.5.1 allows remote attackers to bypass the HTTP whitelist and connect to arbitrary servers by using JavaScript to open WebSocket connections through WebView. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Google Apache +1
NVD
EPSS 1% CVSS 6.4
MEDIUM This Month

Apache Cordova Android before 3.5.1 allows remote attackers to change the start page via a crafted intent URL. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Google Information Disclosure Apache +1
NVD
EPSS 4% CVSS 9.4
CRITICAL Act Now

The mod_auth_mellon module before 0.8.1 allows remote attackers to cause a denial of service (Apache HTTP server crash) via a crafted logout request that triggers a read of uninitialized data. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Apache Mod Auth Mellon +6
NVD GitHub
EPSS 2% CVSS 5.0
MEDIUM PATCH This Month

Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Apache Authentication Bypass Wss4J +1
NVD
EPSS 6% CVSS 5.0
MEDIUM PATCH This Month

The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Apache Cxf
NVD
EPSS 5% CVSS 5.0
MEDIUM PATCH This Month

The cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache HTTP Server before 2.4.11 allows remote attackers to cause a denial of service (NULL pointer. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Denial Of Service Null Pointer Dereference Apache +10
NVD
EPSS 0% CVSS 7.5
HIGH POC This Week

Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Apache Authentication Bypass Shiro
NVD
EPSS 90% 7.5 CVSS 8.8
HIGH POC KEV PATCH THREAT Act Now

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Command Injection Apache SSH
NVD Exploit-DB VulDB
EPSS 3% CVSS 4.3
MEDIUM This Month

Apache Axis2/C does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Apache Apache Axis2 C
NVD
EPSS 87% 6.1 CVSS 10.0
CRITICAL POC THREAT Emergency

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 86.8%.

Command Injection Denial Of Service SSH +3
NVD Exploit-DB
EPSS 90% 7.7 CVSS 9.8
CRITICAL POC KEV PATCH THREAT Act Now

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Command Injection Apache SSH
NVD Exploit-DB VulDB
EPSS 94% 7.8 CVSS 9.8
CRITICAL POC KEV PATCH THREAT Act Now

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Command Injection Apache SSH +1
NVD Exploit-DB VulDB
EPSS 9% CVSS 6.8
MEDIUM PATCH This Month

Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Tomcat Code Injection File Upload +2
NVD
EPSS 11% CVSS 4.3
MEDIUM PATCH This Month

Apache POI before 3.10.1 and 3.11.x before 3.11-beta2 allows remote attackers to cause a denial of service (CPU consumption and crash) via a crafted OOXML file, aka an XML Entity Expansion (XEE). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Epss exploitation probability 11.1%.

Denial Of Service Apache Poi
NVD
EPSS 5% CVSS 4.3
MEDIUM PATCH This Month

The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XXE Apache Poi
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Information Disclosure Java Apache +1
NVD
EPSS 1% CVSS 5.8
MEDIUM PATCH This Month

The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable.

Information Disclosure Apache Axis
NVD
EPSS 10% CVSS 4.3
MEDIUM This Month

The OLE preview generation in Apache OpenOffice before 4.1.1 and OpenOffice.org (OOo) might allow remote attackers to embed arbitrary data into documents via crafted OLE objects. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Apache Enterprise Linux Desktop +4
NVD
EPSS 11% CVSS 9.3
CRITICAL Act Now

Apache OpenOffice before 4.1.1 allows remote attackers to execute arbitrary commands and possibly have other unspecified impact via a crafted Calc spreadsheet. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. Epss exploitation probability 10.7% and no vendor patch available.

Command Injection Apache Openoffice +1
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unspecified vulnerability in Apache Traffic Server 3.x through 3.2.5, 4.x before 4.2.1.1, and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Apache Traffic Server
NVD
EPSS 13% CVSS 4.3
MEDIUM PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Epss exploitation probability 12.6%.

XSS Apache Ofbiz
NVD
EPSS 1% CVSS 5.8
MEDIUM POC PATCH This Month

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Public exploit code available.

Information Disclosure Apache Httpclient +1
NVD
EPSS 3% CVSS 4.0
MEDIUM This Month

Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before 1.8.10 uses an MD5 hash of the URL and authentication realm to store cached credentials, which makes it easier for remote servers. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable. No vendor patch available.

Apache Authentication Bypass Opensuse +8
NVD
EPSS 3% CVSS 4.0
MEDIUM PATCH This Month

The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18 and 1.8.x before 1.8.10 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X.509. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable.

Information Disclosure Apache Subversion +3
NVD
EPSS 0% CVSS 2.1
LOW Monitor

WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. No vendor patch available.

PHP Information Disclosure Apache +3
NVD
EPSS 35% CVSS 5.0
MEDIUM PATCH This Month

Memory leak in the winnt_accept function in server/mpm/winnt/child.c in the WinNT MPM in the Apache HTTP Server 2.4.x before 2.4.10 on Windows, when the default AcceptFilter is enabled, allows remote. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 35.2%.

Apache Denial Of Service Microsoft +2
NVD
EPSS 44% CVSS 5.0
MEDIUM PATCH This Month

The mod_cgid module in the Apache HTTP Server before 2.4.10 does not have a timeout mechanism, which allows remote attackers to cause a denial of service (process hang) via a request to a CGI script. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 44.2%.

Denial Of Service Apache Http Server +1
NVD
EPSS 75% 5.1 CVSS 6.8
MEDIUM POC PATCH THREAT This Month

Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 75.4%.

Race Condition Denial Of Service Buffer Overflow +8
NVD Exploit-DB
EPSS 41% CVSS 4.3
MEDIUM PATCH This Month

The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when request body decompression is enabled, allows remote attackers to cause a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Epss exploitation probability 41.3%.

Denial Of Service Apache Http Server +3
NVD
EPSS 57% CVSS 4.3
MEDIUM PATCH This Month

The mod_proxy module in the Apache HTTP Server 2.4.x before 2.4.10, when a reverse proxy is enabled, allows remote attackers to cause a denial of service (child-process crash) via a crafted HTTP. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Epss exploitation probability 57.0%.

Denial Of Service Apache Http Server +2
NVD
EPSS 24% CVSS 4.3
MEDIUM This Month

The cache_invalidate function in modules/cache/cache_storage.c in the mod_cache module in the Apache HTTP Server 2.4.6, when a caching forward proxy is enabled, allows remote HTTP servers to cause a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Epss exploitation probability 24.4% and no vendor patch available.

Denial Of Service Apache Http Server +1
NVD
EPSS 2% CVSS 5.0
MEDIUM PATCH This Month

Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Apache Syncope
NVD
Prev Page 26 of 29 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy