Search Results (Refine Search)
- Keyword (text search): Apache
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2011-1419 |
Apache Tomcat 7.x before 7.0.11, when web.xml has no security constraints, does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088. Published: March 14, 2011; 3:55:02 PM -0400 |
V3.x:(not available) V2.0: 5.8 MEDIUM |
CVE-2011-1088 |
Apache Tomcat 7.x before 7.0.10 does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application. Published: March 14, 2011; 3:55:02 PM -0400 |
V3.x:(not available) V2.0: 5.8 MEDIUM |
CVE-2011-0715 |
The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion before 1.6.16, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a request that contains a lock token. Published: March 11, 2011; 5:55:05 PM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2011-0013 |
Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag. Published: February 18, 2011; 8:00:01 PM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2010-4476 |
The Double.parseDouble method in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK, Apache, JBossweb, and other products, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308. Published: February 17, 2011; 2:00:01 PM -0500 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2011-0533 |
Cross-site scripting (XSS) vulnerability in Apache Continuum 1.1 through 1.2.3.1, 1.3.6, and 1.4.0 Beta; and Archiva 1.3.0 through 1.3.3 and 1.0 through 1.22 allows remote attackers to inject arbitrary web script or HTML via a crafted parameter, related to the autoIncludeParameters setting for the extremecomponents table. Published: February 17, 2011; 1:00:03 PM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2011-0534 |
Apache Tomcat 7.0.0 through 7.0.6 and 6.0.0 through 6.0.30 does not enforce the maxHttpHeaderSize limit for requests involving the NIO HTTP connector, which allows remote attackers to cause a denial of service (OutOfMemoryError) via a crafted request. Published: February 10, 2011; 1:00:56 PM -0500 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2010-3718 |
Apache Tomcat 7.0.0 through 7.0.3, 6.0.x, and 5.5.x, when running within a SecurityManager, does not make the ServletContext attribute read-only, which allows local web applications to read or write files outside of the intended working directory, as demonstrated using a directory traversal attack. Published: February 10, 2011; 1:00:01 PM -0500 |
V3.x:(not available) V2.0: 1.2 LOW |
CVE-2010-3854 |
Multiple cross-site scripting (XSS) vulnerabilities in the web administration interface (aka Futon) in Apache CouchDB 0.8.0 through 1.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Published: February 01, 2011; 8:00:02 PM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2010-4455 |
Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 11.1.1.2 and 11.1.1.3 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Apache Plugin. Published: January 19, 2011; 12:00:02 PM -0500 |
V3.x:(not available) V2.0: 6.4 MEDIUM |
CVE-2010-4644 |
Multiple memory leaks in rev_hunt.c in Apache Subversion before 1.6.15 allow remote authenticated users to cause a denial of service (memory consumption and daemon crash) via the -g option to the blame command. Published: January 07, 2011; 2:00:20 PM -0500 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2010-4539 |
The walk function in repos.c in the mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion before 1.6.15, allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via vectors that trigger the walking of SVNParentPath collections. Published: January 07, 2011; 2:00:19 PM -0500 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2010-4408 |
Apache Archiva 1.0 through 1.0.3, 1.1 through 1.1.4, 1.2 through 1.2.2, and 1.3 through 1.3.1 does not require entry of the administrator's password at the time of modifying a user account, which makes it easier for context-dependent attackers to gain privileges by leveraging a (1) unattended workstation or (2) cross-site request forgery (CSRF) vulnerability, a related issue to CVE-2010-3449. Published: December 06, 2010; 3:13:00 PM -0500 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2010-3449 |
Cross-site request forgery (CSRF) vulnerability in Redback before 1.2.4, as used in Apache Archiva 1.0 through 1.0.3, 1.1 through 1.1.4, 1.2 through 1.2.2, and 1.3 through 1.3.1; and Apache Continuum 1.3.6, 1.4.0, and 1.1 through 1.2.3.1; allows remote attackers to hijack the authentication of administrators for requests that modify credentials. Published: December 06, 2010; 3:13:00 PM -0500 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2010-4312 |
The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie. Published: November 26, 2010; 3:00:05 PM -0500 |
V3.x:(not available) V2.0: 6.4 MEDIUM |
CVE-2010-4172 |
Multiple cross-site scripting (XSS) vulnerabilities in the Manager application in Apache Tomcat 6.0.12 through 6.0.29 and 7.0.0 through 7.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) orderBy or (2) sort parameter to sessionsList.jsp, or unspecified input to (3) sessionDetail.jsp or (4) java/org/apache/catalina/manager/JspHelper.java, related to use of untrusted web applications. Published: November 26, 2010; 3:00:04 PM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2010-3863 |
Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI. Published: November 05, 2010; 1:00:02 PM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2010-2057 |
shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1 uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack. Published: October 20, 2010; 2:00:02 PM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2010-0219 |
Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service. Published: October 18, 2010; 1:00:03 PM -0400 |
V3.x:(not available) V2.0: 10.0 HIGH |
CVE-2009-5006 |
The SessionAdapter::ExchangeHandlerImpl::checkAlternate function in broker/SessionAdapter.cpp in the C++ Broker component in Apache Qpid before 0.6, as used in Red Hat Enterprise MRG before 1.3 and other products, allows remote authenticated users to cause a denial of service (NULL pointer dereference, daemon crash, and cluster outage) by attempting to modify the alternate of an exchange. Published: October 18, 2010; 1:00:02 PM -0400 |
V3.x:(not available) V2.0: 4.0 MEDIUM |