Vulnerabilities > Apache

DATE CVE VULNERABILITY TITLE RISK
2013-10-17 CVE-2013-2254 Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apache Org.Apache.Sling.Servlets.Post 2.2.0/2.3.0
The deepGetOrCreateNode function in impl/operations/AbstractCreateOperation.java in org.apache.sling.servlets.post.bundle 2.2.0 and 2.3.0 in Apache Sling does not properly handle a NULL value that returned when the session does not have permissions to the root node, which allows remote attackers to cause a denial of service (infinite loop) via unspecified vectors.
network
low complexity
apache CWE-119
5.0
2013-09-30 CVE-2013-5697 SQL Injection vulnerability in Simone Tellini MOD Accounting 0.5
SQL injection vulnerability in mod_accounting.c in the mod_accounting module 0.5 and earlier for Apache allows remote attackers to execute arbitrary SQL commands via a Host header.
network
low complexity
simone-tellini apache CWE-89
7.5
2013-09-30 CVE-2013-4316 Improper Access Control vulnerability in multiple products
Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.
network
low complexity
apache oracle CWE-284
critical
10.0
2013-09-30 CVE-2013-4310 Permissions, Privileges, and Access Controls vulnerability in Apache Struts
Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix.
network
apache CWE-264
5.8
2013-09-16 CVE-2013-4277 Permissions, Privileges, and Access Controls vulnerability in Apache Subversion
Svnserve in Apache Subversion 1.4.0 through 1.7.12 and 1.8.0 through 1.8.1 allows local users to overwrite arbitrary files or kill arbitrary processes via a symlink attack on the file specified by the --pid-file option.
local
apache CWE-264
3.3
2013-08-23 CVE-2013-1909 Improper Input Validation vulnerability in multiple products
The Python client in Apache Qpid before 2.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
network
redhat apache CWE-20
5.8
2013-08-19 CVE-2013-2136 Cross-Site Scripting vulnerability in Apache Cloudstack
Multiple cross-site scripting (XSS) vulnerabilities in Apache CloudStack before 4.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) Physical network name to the Zone wizard; (2) New network name, (3) instance name, or (4) group to the Instance wizard; (5) unspecified "multi-edit fields;" and (6) unspecified "list view" edit fields related to global settings.
network
apache CWE-79
4.3
2013-08-15 CVE-2013-2250 Improper Input Validation vulnerability in Apache Ofbiz
Apache Open For Business Project (aka OFBiz) 10.04.01 through 10.04.05, 11.04.01 through 11.04.02, and 12.04.01 allows remote attackers to execute arbitrary Unified Expression Language (UEL) functions via JUEL metacharacters in unspecified parameters, related to nested expressions.
network
low complexity
apache CWE-20
critical
10.0
2013-08-15 CVE-2013-2137 Cross-Site Scripting vulnerability in Apache Ofbiz
Cross-site scripting (XSS) vulnerability in the "View Log" screen in the Webtools application in Apache Open For Business Project (aka OFBiz) 10.04.01 through 10.04.05, 11.04.01 through 11.04.02, and 12.04.01 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
network
apache CWE-79
4.3
2013-07-31 CVE-2013-4156 Out-of-bounds Write vulnerability in Apache Openoffice
Apache OpenOffice.org (OOo) before 4.0 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted element in an OOXML document file.
network
apache CWE-787
6.8