The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration…
[org.apache.atlas:atlas-common] Insecure cookie storage in Apache Atlas
Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating use cookies that could be accessible to client-side script.
References
https://nvd.nist.gov/vuln/detail/CVE-2017-3150
https://lists.apache.org/thread.html/4a4fef91e067fd0d9da569e30867c1fa65e2…
[org.apache.atlas:atlas-common] Cross-site Scripting in Apache Atlas
Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to DOM XSS in the edit-tag functionality.
References
https://nvd.nist.gov/vuln/detail/CVE-2017-3152
https://lists.apache.org/thread.html/4a4fef91e067fd0d9da569e30867c1fa…
[org.apache.atlas:atlas-common] Cross-site Scripting in Apache Atlas
Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to Reflected XSS in the search functionality.
References
https://nvd.nist.gov/vuln/detail/CVE-2017-3153
https://lists.apache.org/thread.html/4a4fef91e067fd0d9da569e30867…
[org.apache.atlas:atlas-common] Cross-site Scripting in Apache Atlas
Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to cross frame scripting.
References
https://nvd.nist.gov/vuln/detail/CVE-2017-3155
https://lists.apache.org/thread.html/4a4fef91e067fd0d9da569e30867c1fa65e2a0520acde71d…
[org.apache.geode:geode-core] Apache Geode gfsh query vulnerability
When a cluster is operating in secure mode, a user with read privileges for specific data regions can use the gfsh command line utility to execute queries. In Apache Geode before 1.2.1, the query results may contain data from another user’s concurrentl…
[mistune] Cross-site Scripting in Mistune
mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline (such as in java\nscript:) or a crafted email address, related to the escape and autolink functions.
References
https://nvd.nist.gov/vuln/detail/CVE-2017-15612
https://github.com/lepture…
[com.neovisionaries:nv-websocket-client] nv-websocket-client allows attackers to spoof SSL/TLS servers via an arbitrary valid certificate
The Java WebSocket client nv-websocket-client does not verify that the server hostname matches a domain name in the subject’s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL/TLS s…
[io.undertow:undertow-core] Undertow Uncaught Exception vulnerability
A long URL proxy request lead to java.nio.BufferOverflowException in Undertow.
References
https://nvd.nist.gov/vuln/detail/CVE-2016-7046
https://bugzilla.redhat.com/show_bug.cgi?id=1376646
https://github.com/undertow-io/undertow/commit/c518b5a1784061d…
[org.jenkins-ci.main:jenkins-core] Cross-site Scripting in Jenkins Core
Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624.
References…