Vulnerabilities > Apache > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-07-08 | CVE-2024-37389 | Cross-site Scripting vulnerability in Apache Nifi Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. | 5.4 |
| 2024-06-24 | CVE-2024-27136 | Cross-site Scripting vulnerability in Apache Jspwiki XSS in Upload page in Apache JSPWiki 2.12.1 and priors allows the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. | 6.1 |
| 2024-06-22 | CVE-2024-38379 | Cross-site Scripting vulnerability in Apache Allura Apache Allura's neighborhood settings are vulnerable to a stored XSS attack. Only neighborhood admins can access these settings, so the scope of risk is limited to configurations where neighborhood admins are not fully trusted. This issue affects Apache Allura: from 1.4.0 through 1.17.0. Users are recommended to upgrade to version 1.17.1, which fixes the issue. | 4.8 |
| 2024-02-29 | CVE-2024-23946 | Unrestricted Upload of File with Dangerous Type vulnerability in Apache Ofbiz Possible path traversal in Apache OFBiz allowing file inclusion. Users are recommended to upgrade to version 18.12.12, that fixes the issue. | 5.3 |
| 2024-02-19 | CVE-2024-25710 | Infinite Loop vulnerability in Apache Commons Compress Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0. Users are recommended to upgrade to version 1.26.0 which fixes the issue. | 5.5 |
| 2024-02-19 | CVE-2024-26308 | Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26. Users are recommended to upgrade to version 1.26, which fixes the issue. | 5.5 |
| 2024-02-14 | CVE-2024-23952 | Unspecified vulnerability in Apache Superset This is a duplicate for CVE-2023-46104. | 6.5 |
| 2024-02-07 | CVE-2023-39196 | Improper Authentication vulnerability in Apache Ozone 1.2.0/1.2.1/1.3.0 Improper Authentication vulnerability in Apache Ozone. The vulnerability allows an attacker to download metadata internal to the Storage Container Manager service without proper authentication. The attacker is not allowed to do any modification within the Ozone Storage Container Manager service using this vulnerability. The accessible metadata does not contain sensitive information that can be used to exploit the system later on, and the accessible data does not make it possible to gain access to actual user data within Ozone. This issue affects Apache Ozone: 1.2.0 and subsequent releases up until 1.3.0. Users are recommended to upgrade to version 1.4.0, which fixes the issue. | 5.3 |
| 2024-01-24 | CVE-2023-50944 | Missing Authorization vulnerability in Apache Airflow Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user to exploit it. | 6.5 |
| 2024-01-24 | CVE-2023-51702 | Cleartext Storage of Sensitive Information vulnerability in Apache Airflow and Airflow Cncf Kubernetes Since version 5.2.0, when using deferrable mode with the path of a Kubernetes configuration file for authentication, the Airflow worker serializes this configuration file as a dictionary and sends it to the triggerer by storing it in metadata without any encryption. | 6.5 |