Vulnerabilities > Apache > CXF Fediz

DATE CVE VULNERABILITY TITLE RISK
2018-07-05 CVE-2018-8038 Improper Input Validation vulnerability in Apache CXF Fediz
Versions of Apache CXF Fediz prior to 1.4.4 do not fully disable Document Type Declarations (DTDs) when either parsing the Identity Provider response in the application plugins, or in the Identity Provider itself when parsing certain XML-based parameters.
network
low complexity
apache CWE-20
7.5
2017-11-30 CVE-2017-12631 Cross-Site Request Forgery (CSRF) vulnerability in Apache CXF Fediz
Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications.
network
low complexity
apache CWE-352
8.8
2017-06-07 CVE-2015-5175 Improper Input Validation vulnerability in Apache CXF Fediz
Application plugins in Apache CXF Fediz before 1.1.3 and 1.2.x before 1.2.1 allow remote attackers to cause a denial of service.
network
low complexity
apache CWE-20
7.5
2017-05-16 CVE-2017-7662 Cross-Site Request Forgery (CSRF) vulnerability in Apache CXF Fediz
Apache CXF Fediz ships with an OpenId Connect (OIDC) service which has a Client Registration Service, which is a simple web application that allows clients to be created, deleted, etc.
network
low complexity
apache CWE-352
8.8
2017-05-16 CVE-2017-7661 Cross-Site Request Forgery (CSRF) vulnerability in Apache CXF Fediz
Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications.
network
low complexity
apache CWE-352
8.8
2016-09-21 CVE-2016-4464 Improper Access Control vulnerability in Apache CXF Fediz
The application plugins in Apache CXF Fediz 1.2.x before 1.2.3 and 1.3.x before 1.3.1 do not match SAML AudienceRestriction values against configured audience URIs, which might allow remote attackers to have bypass intended restrictions and have unspecified other impact via a crafted SAML token with a trusted signature.
network
low complexity
apache CWE-284
critical
9.8