Vulnerabilities > Apache > Medium

DATE CVE VULNERABILITY TITLE RISK
2017-08-14 CVE-2017-9802 Cross-site Scripting vulnerability in Apache Sling Servlets Post 2.3.20
The Javascript method Sling.evalString() in Apache Sling Servlets Post before 2.3.22 uses the javascript 'eval' function to parse input strings, which allows for XSS attacks by passing specially crafted input strings.
network
low complexity
apache CWE-79
6.1
2017-08-11 CVE-2017-7674 Insufficient Verification of Data Authenticity vulnerability in Apache Tomcat
The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin.
network
low complexity
apache CWE-345
4.3
2017-08-10 CVE-2016-6812 Cross-site Scripting vulnerability in Apache CXF
The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints.
network
low complexity
apache CWE-79
6.1
2017-08-10 CVE-2016-6794 When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager.
network
low complexity
apache debian redhat netapp canonical oracle
5.3
2017-08-10 CVE-2016-0762 Information Exposure Through Discrepancy vulnerability in multiple products
The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist.
network
high complexity
apache canonical debian redhat netapp oracle CWE-203
5.9
2017-07-19 CVE-2016-5394 Cross-site Scripting vulnerability in Apache Sling
In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.
network
low complexity
apache CWE-79
6.1
2017-07-17 CVE-2017-7685 Unspecified vulnerability in Apache Openmeetings
Apache OpenMeetings 1.0.0 responds to the following insecure HTTP methods: PUT, DELETE, HEAD, and PATCH.
network
low complexity
apache
5.3
2017-07-17 CVE-2017-7663 Cross-site Scripting vulnerability in Apache Openmeetings 3.2.0/3.2.1
Both global and Room chat are vulnerable to XSS attack in Apache OpenMeetings 3.2.0.
network
low complexity
apache CWE-79
6.1
2017-07-13 CVE-2017-7672 Improper Input Validation vulnerability in Apache Struts
If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.
network
high complexity
apache CWE-20
5.9
2017-07-12 CVE-2017-7678 Cross-site Scripting vulnerability in Apache Spark
In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server.
network
low complexity
apache CWE-79
6.1