| 2020-12-02 | CVE-2020-13956 | Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution. | 5.3 |
| 2020-12-01 | CVE-2020-11990 | Unspecified vulnerability in Apache Cordova 4.1.0
We have resolved a security issue in the camera plugin that could have affected certain Cordova (Android) applications. | 3.3 |
| 2020-11-28 | CVE-2020-27218 | In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. | 4.8 |
| 2020-11-24 | CVE-2020-13942 | Injection vulnerability in Apache Unomi 1.5.0/1.5.1
It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. | 9.8 |
| 2020-11-19 | CVE-2019-12412 | NULL Pointer Dereference vulnerability in Apache Libapreq2
A flaw in the libapreq2 v2.07 to v2.13 multipart parser can deference a null pointer leading to a process crash. | 7.5 |
| 2020-11-17 | CVE-2020-13958 | Unspecified vulnerability in Apache Openoffice
A vulnerability in Apache OpenOffice scripting events allows an attacker to construct documents containing hyperlinks pointing to an executable on the target users file system. | 7.8 |
| 2020-11-16 | CVE-2020-26217 | XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. | 8.8 |
| 2020-11-12 | CVE-2019-17566 | Server-Side Request Forgery (SSRF) vulnerability in multiple products
Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. | 7.5 |
| 2020-11-12 | CVE-2020-13954 | Cross-site Scripting vulnerability in multiple products
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. | 6.1 |
| 2020-11-10 | CVE-2020-13927 | Insecure Default Initialization of Resource vulnerability in Apache Airflow
The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. | 9.8 |