Apache: Security Vulnerabilities
The default configuration of the Apache OFBiz framework offers a blog functionality. Different users are able to operate blogs which are related to specific parties. In the form field for the creation of new blog articles the user input of the summary field as well as the article field is not properly sanitized. It is possible to inject arbitrary JavaScript code in these form fields. This code gets executed from the browser of every user who is visiting this article. Mitigation: Upgrade to Apache OFBiz 16.11.01.
CVSS Score
6.1
EPSS Score
0.027
Published
2017-08-30
When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr before 5.5.4 and 6.x before 6.4.1 did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk since only trusted clients and users would gain direct HTTP access.
CVSS Score
7.5
EPSS Score
0.164
Published
2017-08-30
Apache Atlas versions 0.6.0 (incubating), 0.7.0 (incubating), and 0.7.1 (incubating) allow access to the webapp directory contents by pointing to URIs like /js and /img.
CVSS Score
7.5
EPSS Score
0.01
Published
2017-08-29
Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating use cookies that could be accessible to client-side script.
CVSS Score
6.1
EPSS Score
0.01
Published
2017-08-29
Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to Stored Cross-Site Scripting in the edit-tag functionality.
CVSS Score
6.1
EPSS Score
0.01
Published
2017-08-29
Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to DOM XSS in the edit-tag functionality.
CVSS Score
6.1
EPSS Score
0.014
Published
2017-08-29
Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to Reflected XSS in the search functionality.
CVSS Score
6.1
EPSS Score
0.014
Published
2017-08-29
Error responses from Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating included stack trace, exposing excessive information.
CVSS Score
7.5
EPSS Score
0.008
Published
2017-08-29
Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to cross frame scripting.
CVSS Score
6.1
EPSS Score
0.019
Published
2017-08-29
Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object.
CVSS Score
7.5
EPSS Score
0.036
Published
2017-08-29