Vulnerabilities in Apache Software Foundation

1,872 results

CVE-2019-0186—The input fields of the Apache Pluto "Chat Room" demo portlet 3.0.0 and 3.0.1 are vulnerable to Cross-Site Scripting (XSS) attacks. MitigatiEPSS 20.6%CVE-2018-1336—An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a DenEPSS 20.6%CVE-2018-1322—An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x andEPSS 20.5%CVE-2017-3167—In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentEPSS 20.2%CVE-2018-17199—In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes sessEPSS 20.0%CVE-2017-3169—In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_prEPSS 20.0%CVE-2016-4975—mod_userdir CRLF injectionEPSS 19.8%CVE-2018-8013—In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the claEPSS 19.5%CVE-2017-3164—Server Side Request Forgery in Apache Solr, versions 1.3 until 7.6 (inclusive). Since the "shards" parameter does not have a corresponding wEPSS 19.4%CVE-2018-17189—In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that reEPSS 19.4%CVE-2019-0196—A vulnerability was found in Apache HTTP Server 2.4.17 to 2.4.38. Using fuzzed network input, the http/2 request handling could be made to aEPSS 19.3%CVE-2022-26377—mod_proxy_ajp: Possible request smugglingEPSS 19.0%CVE-2017-9800—A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alphaEPSS 18.9%CVE-2017-15710—In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the EPSS 18.2%CVE-2021-25122—Apache Tomcat h2c request mix-upEPSS 18.1%CVE-2018-1321—An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1EPSS 18.0%CVE-2019-0220—A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slasEPSS 17.9%CVE-2024-41107HIGHApache CloudStack: SAML Signature ExclusionEPSS 17.8%CVE-2017-15708—In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previousEPSS 17.7%CVE-2018-1304—The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4EPSS 17.7%

← previouspage 11 / 94next →