Vulnerabilities > Apache > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2016-04-26 | CVE-2016-3081 | Command Injection vulnerability in multiple products Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions. | 8.1 |
| 2016-04-15 | CVE-2015-5348 | Data Processing Errors vulnerability in Apache Camel Apache Camel 2.6.x through 2.14.x, 2.15.x before 2.15.5, and 2.16.x before 2.16.1, when using (1) camel-jetty or (2) camel-servlet as a consumer in Camel routes, allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request. | 8.1 |
| 2016-04-14 | CVE-2015-5343 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Integer overflow in util.c in mod_dav_svn in Apache Subversion 1.7.x, 1.8.x before 1.8.15, and 1.9.x before 1.9.3 allows remote authenticated users to cause a denial of service (subversion server crash or memory consumption) and possibly execute arbitrary code via a skel-encoded request body, which triggers an out-of-bounds read and heap-based buffer overflow. | 7.6 |
| 2016-04-12 | CVE-2016-0785 | Improper Input Validation vulnerability in Apache Struts Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. | 8.8 |
| 2016-04-11 | CVE-2015-5349 | Command Injection vulnerability in Apache Directory Studio and Ldap Studio The CSV export in Apache LDAP Studio and Apache Directory Studio before 2.0.0-M10 does not properly escape field values, which might allow attackers to execute arbitrary commands by leveraging a crafted LDAP entry that is interpreted as a formula when imported into a spreadsheet. | 7.8 |
| 2016-04-11 | CVE-2016-0735 | Permissions, Privileges, and Access Controls vulnerability in Apache Ranger 0.5.0/0.5.1 Apache Ranger 0.5.x before 0.5.2 allows remote authenticated users to bypass intended parent resource-level access restrictions by leveraging mishandling of a resource-level exclude policy. | 8.8 |
| 2016-04-11 | CVE-2015-0266 | Permissions, Privileges, and Access Controls vulnerability in Apache Ranger 0.4.0 The Policy Admin Tool in Apache Ranger before 0.5.0 allows remote authenticated users to bypass intended access restrictions via direct access to module URLs. | 7.1 |
| 2016-04-11 | CVE-2016-2171 | Permissions, Privileges, and Access Controls vulnerability in Apache Jetspeed The User Manager service in Apache Jetspeed before 2.3.1 does not properly restrict access using Jetspeed Security, which allows remote attackers to (1) add, (2) edit, or (3) delete users via the REST API. | 7.5 |
| 2016-04-11 | CVE-2016-2164 | Information Exposure vulnerability in Apache Openmeetings The (1) FileService.importFileByInternalUserId and (2) FileService.importFile SOAP API methods in Apache OpenMeetings before 3.1.1 improperly use the Java URL class without checking the specified protocol handler, which allows remote attackers to read arbitrary files by attempting to upload a file. | 7.5 |
| 2016-04-11 | CVE-2016-0783 | Information Exposure vulnerability in Apache Openmeetings The sendHashByUser function in Apache OpenMeetings before 3.1.1 generates predictable password reset tokens, which makes it easier for remote attackers to reset arbitrary user passwords by leveraging knowledge of a user name and the current system time. | 7.5 |