Search Results (Refine Search)
- Keyword (text search): Apache
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2014-3575 |
The OLE preview generation in Apache OpenOffice before 4.1.1 and OpenOffice.org (OOo) might allow remote attackers to embed arbitrary data into documents via crafted OLE objects. Published: August 26, 2014; 8:55:04 PM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2014-3524 |
Apache OpenOffice before 4.1.1 allows remote attackers to execute arbitrary commands and possibly have other unspecified impact via a crafted Calc spreadsheet. Published: August 26, 2014; 10:55:05 AM -0400 |
V3.x:(not available) V2.0: 9.3 HIGH |
CVE-2014-3525 |
Unspecified vulnerability in Apache Traffic Server 3.x through 3.2.5, 4.x before 4.2.1.1, and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks. Published: August 22, 2014; 10:55:07 AM -0400 |
V3.x:(not available) V2.0: 10.0 HIGH |
CVE-2014-0232 |
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1) result or (2) error message. Published: August 22, 2014; 10:55:07 AM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2014-3577 |
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field. Published: August 21, 2014; 10:55:05 AM -0400 |
V3.x:(not available) V2.0: 5.8 MEDIUM |
CVE-2014-3528 |
Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before 1.8.10 uses an MD5 hash of the URL and authentication realm to store cached credentials, which makes it easier for remote servers to obtain the credentials via a crafted authentication realm. Published: August 19, 2014; 2:55:02 PM -0400 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2014-3522 |
The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18 and 1.8.x before 1.8.10 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof servers via a crafted certificate. Published: August 19, 2014; 2:55:02 PM -0400 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2014-0103 |
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files. Published: July 29, 2014; 10:55:04 AM -0400 |
V3.x:(not available) V2.0: 2.1 LOW |
CVE-2014-3523 |
Memory leak in the winnt_accept function in server/mpm/winnt/child.c in the WinNT MPM in the Apache HTTP Server 2.4.x before 2.4.10 on Windows, when the default AcceptFilter is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted requests. Published: July 20, 2014; 7:12:50 AM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2014-0231 |
The mod_cgid module in the Apache HTTP Server before 2.4.10 does not have a timeout mechanism, which allows remote attackers to cause a denial of service (process hang) via a request to a CGI script that does not read from its stdin file descriptor. Published: July 20, 2014; 7:12:48 AM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2014-0226 |
Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c. Published: July 20, 2014; 7:12:48 AM -0400 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2014-0118 |
The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when request body decompression is enabled, allows remote attackers to cause a denial of service (resource consumption) via crafted request data that decompresses to a much larger size. Published: July 20, 2014; 7:12:48 AM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2014-0117 |
The mod_proxy module in the Apache HTTP Server 2.4.x before 2.4.10, when a reverse proxy is enabled, allows remote attackers to cause a denial of service (child-process crash) via a crafted HTTP Connection header. Published: July 20, 2014; 7:12:48 AM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2013-4352 |
The cache_invalidate function in modules/cache/cache_storage.c in the mod_cache module in the Apache HTTP Server 2.4.6, when a caching forward proxy is enabled, allows remote HTTP servers to cause a denial of service (NULL pointer dereference and daemon crash) via vectors that trigger a missing hostname value. Published: July 20, 2014; 7:12:48 AM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2014-3503 |
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack. Published: July 11, 2014; 10:55:04 AM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2014-0035 |
The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the UsernameToken in cleartext, which allows remote attackers to obtain sensitive information by sniffing the network. Published: July 07, 2014; 10:55:03 AM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2014-0034 |
The SecurityTokenService (STS) in Apache CXF before 2.6.12 and 2.7.x before 2.7.9 does not properly validate SAML tokens when caching is enabled, which allows remote attackers to gain access via an invalid SAML token. Published: July 07, 2014; 10:55:03 AM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2014-4721 |
The phpinfo implementation in ext/standard/info.c in PHP before 5.4.30 and 5.5.x before 5.5.14 does not ensure use of the string data type for the PHP_AUTH_PW, PHP_AUTH_TYPE, PHP_AUTH_USER, and PHP_SELF variables, which might allow context-dependent attackers to obtain sensitive information from process memory by using the integer data type with crafted values, related to a "type confusion" vulnerability, as demonstrated by reading a private SSL key in an Apache HTTP Server web-hosting environment with mod_ssl and a PHP 5.3.x mod_php. Published: July 06, 2014; 7:55:02 PM -0400 |
V3.x:(not available) V2.0: 2.6 LOW |
CVE-2012-1621 |
Multiple cross-site scripting (XSS) vulnerabilities in Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.02 allow remote attackers to inject arbitrary web script or HTML via (1) a parameter array in freemarker templates, the (2) contentId or (3) mapKey parameter in a cms event request, which are not properly handled in an error message, or unspecified input in (4) an ajax request to the getServerError function in checkoutProcess.js or (5) a Webslinger component request. NOTE: some of these details are obtained from third party information. Published: June 19, 2014; 10:55:06 AM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2011-4367 |
Multiple directory traversal vulnerabilities in MyFaces JavaServer Faces (JSF) in Apache MyFaces Core 2.0.x before 2.0.12 and 2.1.x before 2.1.6 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) ln parameter to faces/javax.faces.resource/web.xml or (2) the PATH_INFO to faces/javax.faces.resource/. Published: June 19, 2014; 10:55:06 AM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |