Vulnerabilities > Apache > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-03-29 | CVE-2023-28158 | Unspecified vulnerability in Apache Archiva Privilege escalation via stored XSS using the file upload service to upload malicious content. The issue can be exploited only by authenticated users which can create directory name to inject some XSS content and gain some privileges such admin user. | 5.4 |
| 2023-03-28 | CVE-2023-25196 | SQL Injection vulnerability in Apache Fineract Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache Fineract. Authorized users may be able to change or add data in certain components. | 4.3 |
| 2023-03-28 | CVE-2023-25197 | Unspecified vulnerability in Apache Fineract Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation apache fineract. Authorized users may be able to exploit this for limited impact on components. | 6.3 |
| 2023-03-22 | CVE-2023-28708 | Unspecified vulnerability in Apache Tomcat When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. | 4.3 |
| 2023-03-15 | CVE-2023-25695 | Unspecified vulnerability in Apache Airflow Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.5.2. | 5.3 |
| 2023-02-23 | CVE-2023-25621 | Unspecified vulnerability in Apache Sling I18N Privilege Escalation vulnerability in Apache Software Foundation Apache Sling. Any content author is able to create i18n dictionaries in the repository in a location the author has write access to. | 6.5 |
| 2023-02-04 | CVE-2023-22849 | Unspecified vulnerability in Apache Sling CMS An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.4 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in multiple features. Upgrade to Apache Sling App CMS >= 1.1.6 | 6.1 |
| 2023-01-31 | CVE-2022-25147 | Unspecified vulnerability in Apache Portable Runtime Utility Integer Overflow or Wraparound vulnerability in apr_base64 functions of Apache Portable Runtime Utility (APR-util) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime Utility (APR-util) 1.6.1 and prior versions. | 6.5 |
| 2023-01-31 | CVE-2022-44644 | Unspecified vulnerability in Apache Linkis In Apache Linkis <=1.3.0 when used with the MySQL Connector/J in the data source module, an authenticated attacker could read arbitrary local files by connecting a rogue MySQL server, By adding allowLoadLocalInfile to true in the JDBC parameter. | 6.5 |
| 2023-01-17 | CVE-2022-37436 | Unspecified vulnerability in Apache Http Server Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. | 5.3 |