Vulnerabilities > Apache > Medium

DATE CVE VULNERABILITY TITLE RISK
2016-05-09 CVE-2015-5207 Improper Access Control vulnerability in Apache Cordova
Apache Cordova iOS before 4.0.0 might allow attackers to bypass a URL whitelist protection mechanism in an app and load arbitrary resources by leveraging unspecified methods.
local
low complexity
apache CWE-284
5.3
2016-05-05 CVE-2016-2168 Unspecified vulnerability in Apache Subversion
The req_check_access function in the mod_authz_svn module in the httpd server in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via a crafted header in a (1) MOVE or (2) COPY request, involving an authorization check.
network
low complexity
apache
6.5
2016-05-05 CVE-2016-2167 Improper Access Control vulnerability in Apache Subversion
The canonicalize_username function in svnserve/cyrus_auth.c in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4, when Cyrus SASL authentication is used, allows remote attackers to authenticate and bypass intended access restrictions via a realm string that is a prefix of an expected repository realm string.
network
high complexity
apache CWE-284
6.8
2016-04-19 CVE-2015-1776 Information Exposure vulnerability in Apache Hadoop
Apache Hadoop 2.6.x encrypts intermediate data generated by a MapReduce job and stores it along with the encryption key in a credentials file on disk when the Intermediate data encryption feature is enabled, which allows local users to obtain sensitive information by reading the file.
local
low complexity
apache CWE-200
6.2
2016-04-12 CVE-2015-7520 Cross-site Scripting vulnerability in Apache Wicket
Multiple cross-site scripting (XSS) vulnerabilities in the (1) RadioGroup and (2) CheckBoxMultipleChoice classes in Apache Wicket 1.5.x before 1.5.15, 6.x before 6.22.0, and 7.x before 7.2.0 allow remote attackers to inject arbitrary web script or HTML via a crafted "value" attribute in a <input> element.
network
low complexity
apache CWE-79
6.1
2016-04-12 CVE-2015-5347 Cross-site Scripting vulnerability in Apache Wicket
Cross-site scripting (XSS) vulnerability in the getWindowOpenJavaScript function in org.apache.wicket.extensions.ajax.markup.html.modal.ModalWindow in Apache Wicket 1.5.x before 1.5.15, 6.x before 6.22.0, and 7.x before 7.2.0 might allow remote attackers to inject arbitrary web script or HTML via a ModalWindow title.
network
low complexity
apache CWE-79
6.1
2016-04-12 CVE-2016-4003 Cross-site Scripting vulnerability in Apache Struts
Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter.
network
low complexity
apache CWE-79
6.1
2016-04-12 CVE-2016-2162 Cross-site Scripting vulnerability in Apache Struts
Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display.
network
low complexity
apache CWE-79
6.1
2016-04-12 CVE-2016-2166 Information Exposure vulnerability in multiple products
The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors.
network
high complexity
apache fedoraproject CWE-200
6.5
2016-04-12 CVE-2015-5167 Permissions, Privileges, and Access Controls vulnerability in Apache Ranger 0.4.0/0.4.1/0.5.0
The Policy Admin Tool in Apache Ranger before 0.5.1 allows remote authenticated users to bypass intended access restrictions via the REST API.
network
low complexity
apache CWE-264
6.5