Vulnerabilities > Apache > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-01-17 | CVE-2021-42357 | Cross-site Scripting vulnerability in Apache Knox When using Apache Knox SSO prior to 1.6.1, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. | 6.1 |
| 2022-01-11 | CVE-2021-41767 | Information Exposure vulnerability in Apache Guacamole Apache Guacamole 1.3.0 and older may incorrectly include a private tunnel identifier in the non-private details of some REST responses. | 6.5 |
| 2022-01-06 | CVE-2021-36774 | Unspecified vulnerability in Apache Kylin Apache Kylin allows users to read data from other database systems using JDBC. | 6.5 |
| 2022-01-06 | CVE-2021-36737 | Cross-site Scripting vulnerability in Apache Pluto The input fields of the Apache Pluto UrlTestPortlet are vulnerable to Cross-Site Scripting (XSS) attacks. | 6.1 |
| 2022-01-06 | CVE-2021-36738 | Cross-site Scripting vulnerability in Apache Pluto The input fields in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet are vulnerable to Cross-Site Scripting (XSS) attacks. | 6.1 |
| 2022-01-06 | CVE-2021-36739 | Cross-site Scripting vulnerability in Apache Pluto 3.1.0 The "first name" and "last name" fields of the Apache Pluto 3.1.0 MVCBean JSP portlet maven archetype are vulnerable to Cross-Site Scripting (XSS) attacks. | 6.1 |
| 2022-01-04 | CVE-2021-38542 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Apache James 2.2.0/3.3.0/3.4.0 Apache James prior to release 3.6.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. | 5.9 |
| 2022-01-04 | CVE-2021-40111 | Infinite Loop vulnerability in Apache James 2.2.0/3.3.0/3.4.0 In Apache James, while fuzzing with Jazzer the IMAP parsing stack, we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions. | 6.5 |
| 2021-12-28 | CVE-2021-44832 | Improper Input Validation vulnerability in multiple products Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. | 6.6 |
| 2021-12-18 | CVE-2021-45105 | Uncontrolled Recursion vulnerability in multiple products Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. | 5.9 |