National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • Keyword (text search): Apache
There are 1,698 matching records.
Displaying matches 1501 through 1520.
Vuln ID Summary CVSS Severity
CVE-2006-0042

Unspecified vulnerability in (1) apreq_parse_headers and (2) apreq_parse_urlencoded functions in Apache2::Request (Libapreq2) before 2.07 allows remote attackers to cause a denial of service (CPU consumption) via unknown attack vectors that result in quadratic computational complexity.

Published: February 18, 2006; 04:02:00 PM -05:00
    V2: 5.0 MEDIUM
CVE-2006-0254

Multiple cross-site scripting (XSS) vulnerabilities in Apache Geronimo 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) time parameter to cal2.jsp and (2) any invalid parameter, which causes an XSS when the log file is viewed by the Web-Access-Log viewer.

Published: January 17, 2006; 08:51:00 PM -05:00
    V2: 4.3 MEDIUM
CVE-2006-0144

The proxy server feature in go-pear.php in PHP PEAR 0.2.2, as used in Apache2Triad, allows remote attackers to execute arbitrary PHP code by redirecting go-pear.php to a malicious proxy server that provides a modified version of Tar.php with a malicious extractModify function.

Published: January 09, 2006; 06:03:00 PM -05:00
    V2: 7.5 HIGH
CVE-2006-0150

Multiple format string vulnerabilities in the auth_ldap_log_reason function in Apache auth_ldap 1.6.0 and earlier allows remote attackers to execute arbitrary code via various vectors, including the username.

Published: January 09, 2006; 06:03:00 PM -05:00
    V2: 7.5 HIGH
CVE-2005-1753

** DISPUTED ** ReadMessage.jsp in JavaMail API 1.1.3 through 1.3, as used by Apache Tomcat 5.0.16, allows remote attackers to view other users' e-mail attachments via a direct request to /mailboxesdir/username@domainname. NOTE: Sun and Apache dispute this issue. Sun states: "The report makes references to source code and files that do not exist in the mentioned products."

Published: December 31, 2005; 12:00:00 AM -05:00
    V2: 5.0 MEDIUM
CVE-2005-1754

** DISPUTED ** JavaMail API 1.1.3 through 1.3, as used by Apache Tomcat 5.0.16, allows remote attackers to read arbitrary files via a full pathname in the argument to the Download parameter. NOTE: Sun and Apache dispute this issue. Sun states: "The report makes references to source code and files that do not exist in the mentioned products."

Published: December 31, 2005; 12:00:00 AM -05:00
    V2: 5.0 MEDIUM
CVE-2005-3357

mod_ssl in Apache 2.0 up to 2.0.55, when configured with an SSL vhost with access control and a custom error 400 error page, allows remote attackers to cause a denial of service (application crash) via a non-SSL request to an SSL port, which triggers a NULL pointer dereference.

Published: December 31, 2005; 12:00:00 AM -05:00
    V2: 5.4 MEDIUM
CVE-2005-3630

Fedora Directory Server before 10 allows remote attackers to obtain sensitive information, such as the password from adm.conf via an IFRAME element, probably involving an Apache httpd.conf configuration that orders "allow" directives before "deny" directives.

Published: December 31, 2005; 12:00:00 AM -05:00
    V2: 5.0 MEDIUM
CVE-2005-3656

Multiple format string vulnerabilities in logging functions in mod_auth_pgsql before 2.0.3, when used for user authentication against a PostgreSQL database, allows remote unauthenticated attackers to execute arbitrary code, as demonstrated via the username.

Published: December 31, 2005; 12:00:00 AM -05:00
    V2: 10.0 HIGH
CVE-2005-4703

Apache Tomcat 4.0.3, when running on Windows, allows remote attackers to obtain sensitive information via a request for a file that contains an MS-DOS device name such as lpt9, which leaks the pathname in an error message, as demonstrated by lpt9.xtp using Nikto.

Published: December 31, 2005; 12:00:00 AM -05:00
    V2: 5.0 MEDIUM
CVE-2005-4814

Unrestricted file upload vulnerability in Segue CMS before 1.3.6, when the Apache HTTP Server handles .phtml files with the PHP interpreter, allows remote attackers to upload and execute arbitrary PHP code by placing .phtml files in the userfiles/ directory.

Published: December 31, 2005; 12:00:00 AM -05:00
    V2: 7.5 HIGH
CVE-2005-4836

The HTTP/1.1 connector in Apache Tomcat 4.1.15 through 4.1.40 does not reject NULL bytes in a URL when allowLinking is configured, which allows remote attackers to read JSP source files and obtain sensitive information.

Published: December 31, 2005; 12:00:00 AM -05:00
    V2: 7.8 HIGH
CVE-2005-4838

Multiple cross-site scripting (XSS) vulnerabilities in the example web applications for Jakarta Tomcat 5.5.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) el/functions.jsp, (2) el/implicit-objects.jsp, and (3) jspx/textRotate.jspx in examples/jsp2/, as demonstrated via script in a request to snp/snoop.jsp. NOTE: other XSS issues in the manager were simultaneously reported, but these require admin access and do not cross privilege boundaries.

Published: December 31, 2005; 12:00:00 AM -05:00
    V2: 4.3 MEDIUM
CVE-2005-4849

Apache Derby before 10.1.2.1 exposes the (1) user and (2) password attributes in cleartext via (a) the RDBNAM parameter of the ACCSEC command and (b) the output of the DatabaseMetaData.getURL function, which allows context-dependent attackers to obtain sensitive information.

Published: December 31, 2005; 12:00:00 AM -05:00
    V2: 5.0 MEDIUM
CVE-2005-4857

eZ publish 3.5 before 3.5.7, 3.6 before 3.6.5, 3.7 before 3.7.3, and 3.8 before 20051128 allows remote authenticated users to cause a denial of service (Apache httpd segmentation fault) via a request to content/advancedsearch.php with an empty SearchContentClassID parameter, reportedly related to a "memory addressing error".

Published: December 31, 2005; 12:00:00 AM -05:00
    V2: 4.0 MEDIUM
CVE-2005-3352

Cross-site scripting (XSS) vulnerability in the mod_imap module of Apache httpd before 1.3.35-dev and Apache httpd 2.0.x before 2.0.56-dev allows remote attackers to inject arbitrary web script or HTML via the Referer when using image maps.

Published: December 13, 2005; 03:03:00 PM -05:00
    V2: 4.3 MEDIUM
CVE-2005-3745

Cross-site scripting (XSS) vulnerability in Apache Struts 1.2.7, and possibly other versions allows remote attackers to inject arbitrary web script or HTML via the query string, which is not properly quoted or filtered when the request handler generates an error message.

Published: November 22, 2005; 06:03:00 AM -05:00
    V2: 4.3 MEDIUM
CVE-2005-3351

SpamAssassin 3.0.4 allows attackers to bypass spam detection via an e-mail with a large number of recipients ("To" addresses), which triggers a bus error in Perl.

Published: November 20, 2005; 04:03:00 PM -05:00
    V2: 5.0 MEDIUM
CVE-2005-3510

Apache Tomcat 5.5.0 to 5.5.11 allows remote attackers to cause a denial of service (CPU consumption) via a large number of simultaneous requests to list a web directory that has a large number of files.

Published: November 06, 2005; 06:02:00 AM -05:00
    V2: 5.0 MEDIUM
CVE-2005-3392

Unspecified vulnerability in PHP before 4.4.1, when using the virtual function on Apache 2, allows remote attackers to bypass safe_mode and open_basedir directives.

Published: November 01, 2005; 07:47:00 AM -05:00
    V2: 7.5 HIGH