Vulnerabilities > Apache > Medium

DATE CVE VULNERABILITY TITLE RISK
2022-11-02 CVE-2022-43670 Unspecified vulnerability in Apache Sling CMS
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.0 and prior may allow an authenticated remote attacker to perform a reflected cross site scripting (XSS) attack in the taxonomy management feature.
network
low complexity
apache
5.4
2022-11-02 CVE-2022-43982 Cross-site Scripting vulnerability in Apache Airflow
In Apache Airflow versions prior to 2.4.2, the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument.
network
low complexity
apache CWE-79
6.1
2022-11-02 CVE-2022-43985 Unspecified vulnerability in Apache Airflow
In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint.
network
low complexity
apache
6.1
2022-11-01 CVE-2022-31777 Unspecified vulnerability in Apache Spark
A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI.
network
low complexity
apache
5.4
2022-11-01 CVE-2022-34662 Unspecified vulnerability in Apache Dolphinscheduler
When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users.
network
low complexity
apache
6.5
2022-10-28 CVE-2022-26884 Path Traversal vulnerability in Apache Dolphinscheduler
Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or higher.
network
low complexity
apache CWE-22
6.5
2022-10-25 CVE-2022-34870 Cross-site Scripting vulnerability in Apache Geode
Apache Geode versions up to 1.15.0 are vulnerable to a Cross-Site Scripting (XSS) via data injection when using Pulse web application to view Region entries.
network
low complexity
apache CWE-79
5.4
2022-10-19 CVE-2022-42466 Unspecified vulnerability in Apache Isis
Prior to 2.0.0-M9, it was possible for an end-user to set the value of an editable string property of a domain object to a value that would be rendered unchanged when the value was saved.
network
low complexity
apache
6.1
2022-10-19 CVE-2022-42467 Insecure Default Initialization of Resource vulnerability in Apache Isis
When running in prototype mode, the h2 webconsole module (accessible from the Prototype menu) is automatically made available with the ability to directly query the database.
network
low complexity
apache CWE-1188
5.3
2022-10-06 CVE-2022-40159 Out-of-bounds Write vulnerability in Apache Commons Jxpath
** DISPUTED ** This record was originally reported by the oss-fuzz project who failed to consider the security context in which JXPath is intended to be used and failed to contact the JXPath maintainers prior to requesting the CVE allocation.
network
low complexity
apache CWE-787
6.5