Vulnerabilities > Apache > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-02-23 | CVE-2023-25621 | Unspecified vulnerability in Apache Sling I18N Privilege Escalation vulnerability in Apache Software Foundation Apache Sling. Any content author is able to create i18n dictionaries in the repository in a location the author has write access to. | 6.5 |
| 2023-02-04 | CVE-2023-22849 | Cross-site Scripting vulnerability in Apache Sling CMS An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.4 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in multiple features. Upgrade to Apache Sling App CMS >= 1.1.6 | 6.1 |
| 2023-01-31 | CVE-2022-25147 | Integer Overflow or Wraparound vulnerability in Apache Portable Runtime Utility Integer Overflow or Wraparound vulnerability in apr_base64 functions of Apache Portable Runtime Utility (APR-util) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime Utility (APR-util) 1.6.1 and prior versions. | 6.5 |
| 2023-01-31 | CVE-2022-44644 | Improper Input Validation vulnerability in Apache Linkis In Apache Linkis <=1.3.0 when used with the MySQL Connector/J in the data source module, an authenticated attacker could read arbitrary local files by connecting a rogue MySQL server, By adding allowLoadLocalInfile to true in the JDBC parameter. | 6.5 |
| 2023-01-17 | CVE-2022-37436 | HTTP Response Splitting vulnerability in Apache Http Server Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. | 5.3 |
| 2023-01-16 | CVE-2022-41703 | SQL Injection vulnerability in Apache Superset A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user having the feature flag "ALLOW_ADHOC_SUBQUERY" disabled (default value). | 5.4 |
| 2023-01-16 | CVE-2022-43717 | Cross-site Scripting vulnerability in Apache Superset Dashboard rendering does not sufficiently sanitize the content of markdown components leading to possible XSS attack vectors that can be performed by authenticated users with create dashboard permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0. | 5.4 |
| 2023-01-16 | CVE-2022-43718 | Cross-site Scripting vulnerability in Apache Superset Upload data forms do not correctly render user input leading to possible XSS attack vectors that can be performed by authenticated users with database connection update permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0. | 5.4 |
| 2023-01-16 | CVE-2022-43720 | Unspecified vulnerability in Apache Superset An authenticated attacker with write CSS template permissions can create a record with specific HTML tags that will not get properly escaped by the toast message displayed when a user deletes that specific CSS template record. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0. | 5.4 |
| 2023-01-16 | CVE-2022-43721 | Open Redirect vulnerability in Apache Superset An authenticated attacker with update datasets permission could change a dataset link to an untrusted site, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0. | 5.4 |