Vulnerabilities > Apache > Medium
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-11-02 | CVE-2022-43670 | Unspecified vulnerability in Apache Sling CMS An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.0 and prior may allow an authenticated remote attacker to perform a reflected cross site scripting (XSS) attack in the taxonomy management feature. | 5.4 |
2022-11-02 | CVE-2022-43982 | Cross-site Scripting vulnerability in Apache Airflow In Apache Airflow versions prior to 2.4.2, the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. | 6.1 |
2022-11-02 | CVE-2022-43985 | Unspecified vulnerability in Apache Airflow In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint. | 6.1 |
2022-11-01 | CVE-2022-31777 | Unspecified vulnerability in Apache Spark A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI. | 5.4 |
2022-11-01 | CVE-2022-34662 | Unspecified vulnerability in Apache Dolphinscheduler When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users. | 6.5 |
2022-10-28 | CVE-2022-26884 | Path Traversal vulnerability in Apache Dolphinscheduler Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or higher. | 6.5 |
2022-10-25 | CVE-2022-34870 | Cross-site Scripting vulnerability in Apache Geode Apache Geode versions up to 1.15.0 are vulnerable to a Cross-Site Scripting (XSS) via data injection when using Pulse web application to view Region entries. | 5.4 |
2022-10-19 | CVE-2022-42466 | Unspecified vulnerability in Apache Isis Prior to 2.0.0-M9, it was possible for an end-user to set the value of an editable string property of a domain object to a value that would be rendered unchanged when the value was saved. | 6.1 |
2022-10-19 | CVE-2022-42467 | Insecure Default Initialization of Resource vulnerability in Apache Isis When running in prototype mode, the h2 webconsole module (accessible from the Prototype menu) is automatically made available with the ability to directly query the database. | 5.3 |
2022-10-06 | CVE-2022-40159 | Out-of-bounds Write vulnerability in Apache Commons Jxpath ** DISPUTED ** This record was originally reported by the oss-fuzz project who failed to consider the security context in which JXPath is intended to be used and failed to contact the JXPath maintainers prior to requesting the CVE allocation. | 6.5 |