Vulnerabilities > Apache
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-01-10 | CVE-2017-9795 | Information Exposure vulnerability in Apache Geode When an Apache Geode cluster before v1.3.0 is operating in secure mode, a user with read access to specific regions within a Geode cluster may execute OQL queries that allow read and write access to objects within unauthorized regions. | 7.5 |
| 2018-01-10 | CVE-2017-12622 | Information Exposure vulnerability in Apache Geode When an Apache Geode cluster before v1.3.0 is operating in secure mode and an authenticated user connects to a Geode cluster using the gfsh tool with HTTP, the user is able to obtain status information and control cluster members even without CLUSTER:MANAGE privileges. | 7.1 |
| 2018-01-09 | CVE-2012-3353 | Information Exposure vulnerability in Apache Sling JCR Contentloader 2.1.4 The Apache Sling JCR ContentLoader 2.1.4 XmlReader used in the Sling JCR content loader module makes it possible to import arbitrary files in the content repository, including local files, causing potential information leaks. | 7.5 |
| 2018-01-04 | CVE-2017-17837 | Cross-site Scripting vulnerability in Apache Deltaspike 1.8.0 The Apache DeltaSpike-JSF 1.8.0 module has a XSS injection leak in the windowId handling. | 6.1 |
| 2018-01-04 | CVE-2017-15714 | Injection vulnerability in Apache Ofbiz 16.11.01/16.11.02/16.11.03 The BIRT plugin in Apache OFBiz 16.11.01 to 16.11.03 does not escape user input property passed. | 9.8 |
| 2017-12-28 | CVE-2017-5641 | Deserialization of Untrusted Data vulnerability in multiple products Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by default. | 9.8 |
| 2017-12-18 | CVE-2017-15700 | Information Exposure vulnerability in Apache Sling Authentication Service 1.4.0 A flaw in the org.apache.sling.auth.core.AuthUtil#isRedirectValid method in Apache Sling Authentication Service 1.4.0 allows an attacker, through the Sling login form, to trick a victim to send over their credentials. | 8.8 |
| 2017-12-18 | CVE-2017-12630 | Cross-site Scripting vulnerability in Apache Drill In Apache Drill 1.11.0 and earlier when submitting form from Query page users are able to pass arbitrary script or HTML which will take effect on Profile page afterwards. | 5.4 |
| 2017-12-14 | CVE-2017-5663 | SQL Injection vulnerability in Apache Fineract 0.4.0Incubating/0.5.0Incubating/0.6.0Incubating In Apache Fineract 0.4.0-incubating, 0.5.0-incubating, and 0.6.0-incubating, an authenticated user with client/loan/center/staff/group read permissions is able to inject malicious SQL into SELECT queries. | 8.8 |
| 2017-12-11 | CVE-2017-15708 | Injection vulnerability in multiple products In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). | 9.8 |