Vulnerabilities > Apache > Medium
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2017-04-26 | CVE-2017-3161 | Cross-site Scripting vulnerability in Apache Hadoop The HDFS web UI in Apache Hadoop before 2.7.0 is vulnerable to a cross-site scripting (XSS) attack through an unescaped query parameter. | 6.1 |
2017-04-18 | CVE-2017-5653 | Improper Certificate Validation vulnerability in Apache CXF JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers. | 5.3 |
2017-04-07 | CVE-2016-6805 | XXE vulnerability in Apache Ignite Apache Ignite before 1.9 allows man-in-the-middle attackers to read arbitrary files via XXE in modified update-notifier documents. | 5.9 |
2017-03-29 | CVE-2016-4976 | Information Exposure vulnerability in Apache Ambari Apache Ambari 2.x before 2.4.0 includes KDC administrator passwords on the kadmin command line, which allows local users to obtain sensitive information via a process listing. | 5.5 |
2017-03-24 | CVE-2017-5644 | XML Entity Expansion vulnerability in Apache POI Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack. | 5.5 |
2017-03-23 | CVE-2014-0229 | Permissions, Privileges, and Access Controls vulnerability in multiple products Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the (1) refreshNamenodes, (2) deleteBlockPool, and (3) shutdownDatanode HDFS admin commands, which allows remote authenticated users to cause a denial of service (DataNodes shutdown) or perform unnecessary operations by issuing a command. | 6.5 |
2017-02-02 | CVE-2016-1566 | Cross-site Scripting vulnerability in Apache Guacamole 0.9.8/0.9.9 Cross-site scripting (XSS) vulnerability in the file browser in Guacamole 0.9.8 and 0.9.9, when file transfer is enabled to a location shared by multiple users, allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename. | 5.4 |
2016-12-15 | CVE-2015-3271 | Information Exposure vulnerability in Apache Tika 1.9 Apache Tika server (aka tika-server) in Apache Tika 1.9 might allow remote attackers to read arbitrary files via the HTTP fileUrl header. | 5.3 |
2016-09-26 | CVE-2016-5395 | Cross-site Scripting vulnerability in Apache Ranger Cross-site scripting (XSS) vulnerability in the create user functionality in the policy admin tool in Apache Ranger before 0.6.1 allows remote authenticated administrators to inject arbitrary web script or HTML via vectors related to policies. | 4.8 |
2016-08-19 | CVE-2016-3089 | Cross-site Scripting vulnerability in Apache Openmeetings Cross-site scripting (XSS) vulnerability in the SWF panel in Apache OpenMeetings before 3.1.2 allows remote attackers to inject arbitrary web script or HTML via the swf parameter. | 6.1 |