Apache: Security Vulnerabilities
The handle_headers function in mod_proxy_fcgi.c in the mod_proxy_fcgi module in the Apache HTTP Server 2.4.10 allows remote FastCGI servers to cause a denial of service (buffer over-read and daemon crash) via long response headers.
CVSS Score
5.0
EPSS Score
0.094
Published
2014-12-15
Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism.
CVSS Score
6.8
EPSS Score
0.125
Published
2014-12-10
Apache CloudStack 4.3.x before 4.3.2 and 4.4.x before 4.4.2 allows remote attackers to bypass authentication via a login request without a password, which triggers an unauthenticated bind.
CVSS Score
5.0
EPSS Score
0.004
Published
2014-12-10
The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 and 2.x before 2.5.2, when using Kerberos authentication, allows remote cluster users to change the permissions of certain files to world-readable via a symlink attack in a public tar archive, which is not properly handled during localization, related to distributed cache.
CVSS Score
5.0
EPSS Score
0.016
Published
2014-12-05
Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option.
CVSS Score
6.1
EPSS Score
0.053
Published
2014-11-24
XML external entity (XXE) vulnerability in the XML Exchange module in Apache Qpid 0.30 allows remote attackers to cause outgoing HTTP connections via a crafted message.
CVSS Score
4.3
EPSS Score
0.017
Published
2014-11-17
Apache Hive before 0.13.1, when in SQL standards based authorization mode, does not properly check the file permissions for (1) import and (2) export statements, which allows remote authenticated users to obtain sensitive information via a crafted URI.
CVSS Score
3.5
EPSS Score
0.003
Published
2014-11-16
Apache Cordova Android before 3.5.1 allows remote attackers to open and send data to arbitrary applications via a URL with a crafted URI scheme for an Android intent.
CVSS Score
4.3
EPSS Score
0.015
Published
2014-11-15
Apache Cordova Android before 3.5.1 allows remote attackers to bypass the HTTP whitelist and connect to arbitrary servers by using JavaScript to open WebSocket connections through WebView.
CVSS Score
4.3
EPSS Score
0.017
Published
2014-11-15
Apache Cordova Android before 3.5.1 allows remote attackers to change the start page via a crafted intent URL.
CVSS Score
6.4
EPSS Score
0.012
Published
2014-11-15