Vulnerabilities > Apache > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-08-02 | CVE-2024-27182 | Files or Directories Accessible to External Parties vulnerability in Apache Linkis 1.3.2/1.4.0/1.5.0 In Apache Linkis <= 1.5.0, Arbitrary file deletion in Basic management services on A user with an administrator account could delete any file accessible by the Linkis system user . Users are recommended to upgrade to version 1.6.0, which fixes this issue. | 4.9 |
| 2024-07-26 | CVE-2024-25090 | Improper Input Validation vulnerability in Apache Roller Insufficient input validation and sanitation in Profile name & screenname, Bookmark name & description and blogroll name features in all versions of Apache Roller on all platforms allows an authenticated user to perform an XSS attack. | 5.4 |
| 2024-07-22 | CVE-2024-34457 | Authorization Bypass Through User-Controlled Key vulnerability in Apache Streampark On versions before 2.1.4, after a regular user successfully logs in, they can manually make a request using the authorization token to view everyone's user flink information, including executeSQL and config. Mitigation: all users should upgrade to 2.1.4 | 6.5 |
| 2024-07-22 | CVE-2024-38503 | Cross-site Scripting vulnerability in Apache Syncope When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits. The same vulnerability was found in the Syncope Enduser, when editing “Personal Information” or “User Requests”. Users are recommended to upgrade to version 3.0.8, which fixes this issue. | 5.4 |
| 2024-07-18 | CVE-2024-40725 | Unspecified vulnerability in Apache Http Server 2.4.60/2.4.61 A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. | 5.3 |
| 2024-07-17 | CVE-2023-52291 | Command Injection vulnerability in Apache Streampark In streampark, the project module integrates Maven's compilation capabilities. | 4.7 |
| 2024-07-17 | CVE-2024-29737 | Command Injection vulnerability in Apache Streampark In streampark, the project module integrates Maven's compilation capabilities. | 4.7 |
| 2024-07-17 | CVE-2024-31979 | Server-Side Request Forgery (SSRF) vulnerability in Apache Streampipes Server-Side Request Forgery (SSRF) vulnerability in Apache StreamPipes during installation process of pipeline elements. Previously, StreamPipes allowed users to configure custom endpoints from which to install additional pipeline elements. | 4.3 |
| 2024-07-17 | CVE-2024-39863 | Cross-site Scripting vulnerability in Apache Airflow Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. | 5.4 |
| 2024-07-15 | CVE-2023-41916 | Files or Directories Accessible to External Parties vulnerability in Apache Linkis 1.4.0/1.5.0 In Apache Linkis =1.4.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will trigger arbitrary file reading. | 6.5 |