Lucene search

Instantis Enterprisetrack Security Vulnerabilities - CVSS Score 9 - 10

cve

CVE-2017-5645

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

9.8CVSS

9.5AI Score

0.874EPSS

2017-04-17 09:59 PM

464

cve

CVE-2018-8013

In Apache Batik 1.x before 1.10, when deserializing subclass of AbstractDocument, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.

9.8CVSS

8.6AI Score

0.004EPSS

2018-05-24 04:29 PM

132

cve

CVE-2019-0219

A website running in the InAppBrowser webview on Android could execute arbitrary JavaScript in the main application's webview using a specially crafted gap-iab: URI.

9.8CVSS

9.1AI Score

0.005EPSS

2020-01-14 03:15 PM

cve

CVE-2019-10082

In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown.

9.1CVSS

8.9AI Score

0.008EPSS

2019-09-26 04:15 PM

3200

cve

CVE-2020-11984

Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE

9.8CVSS

9.3AI Score

0.011EPSS

2020-08-07 04:15 PM

11361

In Wild

cve

CVE-2020-1938

When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that...

9.8CVSS

9.9AI Score

0.973EPSS

2020-02-24 10:15 PM

3612

In Wild

cve

CVE-2021-26691

In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow

9.8CVSS

9.5AI Score

0.704EPSS

2021-06-10 07:15 AM

6738

cve

CVE-2021-39275

ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier.

9.8CVSS

9.7AI Score

0.006EPSS

2021-09-16 03:15 PM

5631

cve

CVE-2021-40438

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

9CVSS

9.3AI Score

0.967EPSS

2021-09-16 03:15 PM

3932

In Wild

cve

CVE-2021-42013

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default co...

9.8CVSS

8.2AI Score

0.975EPSS

2021-10-07 04:15 PM

1421

In Wild

cve

CVE-2021-44790

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earl...

9.8CVSS

9.7AI Score

0.109EPSS

2021-12-20 12:15 PM

5940