CVE-2013-2251

CVE-2013-2251 affects Apache Struts 2 (versions 2.0.0–2.3.15) via improper handling of prefixed parameters in DefaultActionMapper (action:, redirect:, redirectAction:), allowing remote OGNL expression execution and arbitrary code execution. Some sources indicate this was addressed in Struts 2.3.1...

CVE-2022-29405

CVE-2022-29405 concerns Apache Archiva. Affected: Archiva; Issue: any registered user can reset the password for any user due to improper authorization. Impact stated as password reset capability for other users. Mitigation: upgrade to Archiva 2.2.8 (fix mentioned in release notes). If details va...

CVE-2024-27139

CVE-2024-27139 affects Apache Archiva (from 2.0.0) with an Incorrect Authorization vulnerability that allows an unauthenticated attacker to modify account data, potentially leading to account takeover. Public sources in connected documents consistently describe this as an unauthenticated, remote ...

CVE-2024-27140

Apache Archiva is affected by a Cross-site Scripting (XSS) issue described as Improper Neutralization of Input During Web Page Generation. The vulnerability affects Archiva versions 2.0.0 and later, with the project stated as retired and no plan for a fix. Practical impact is an XSS risk in web p...

CVE-2024-27138

CVE-2024-27138 concerns an Incorrect Authorization vulnerability in Apache Archiva. The affected software is Apache Archiva (retired/no longer maintained). The issue arises from a configuration that disables user registration, which can be bypassed, allowing unauthorized users to register or acce...

CVE-2019-0214

Apache Archiva 2.0.0–2.2.3 is affected by CVE-2019-0214, where the artifact upload mechanism allows writing files to arbitrary locations and can overwrite existing files if the Archiva process user has filesystem permissions. Root cause described is improper handling of uploaded artifact file pat...

CVE-2019-0213

CVE-2019-0213 (Apache Archiva) affects Archiva versions prior to 2.2.4. The issue is a stored XSS vulnerability in central configuration entries (e.g., the logo URL) where an attacker with administrative access could inject JavaScript that would execute in a victim’s browser. The risk is describe...

CVE-2022-40308

CVE-2022-40308 affects Apache Archiva prior to version 2.2.9. The issue allows an unauthenticated user, when anonymous read is enabled, to read the database file directly, effectively exposing stored data. The vulnerability originates from the ability to read repository/database files without log...

CVE-2020-9495

CVE-2020-9495 affects Apache Archiva

CVE-2016-5005

CVE-2016-5005 describes a cross-site scripting (XSS) vulnerability in Apache Archiva 1.3.9 and earlier. The issue allows remote authenticated administrators to inject arbitrary web script or HTML via the connector.sourceRepoId parameter to admin/addProxyConnector_commit.action. The vulnerability ...

CVE-2022-40309

CVE-2022-40309 affects Apache Archiva and is triggered when a user with write access to a repository can delete arbitrary directories. Public sources consistently describe the vulnerable condition as existing in Archiva versions prior to 2.2.9. The root cause is a permission/logic flaw that allow...

CVE-2013-2187

CVE-2013-2187 affects Apache Archiva: XSS in the Home Page parameter handling. Vulnerable versions are Archiva 1.2.x up to 1.2.2 and 1.3 up to 1.3.6 (before 1.3.8); the issue allows injection of arbitrary HTML/JS via unspecified parameters. The root cause is input validation related to the home p...

CVE-2023-28158

CVE-2023-28158 – Apache Archiva privilege escalation via stored XSS . Affected software: Apache Archiva 2.x earlier than 2.2.10. Vulnerable component | behavior: stored cross-site scripting through the file upload service; authenticated users can craft directory names to inject XSS content, poten...

CVE-2016-4469

CVE-2016-4469 affects Apache Archiva up to version 1.3.9. The vulnerability consists of multiple cross-site request forgery (CSRF) flaws that allow an attacker to exploit authenticated administrator sessions to perform actions such as adding repository proxy connectors, creating new repositories,...

CVE-2017-5657

Summary: Multiple connected sources confirm that Apache Archiva REST endpoints are vulnerable to CSRF. The underlying issue is lack of CSRF protections, allowing a malicious site loaded in the same browser as Archiva to trigger actions with the current user’s privileges (potentially admin). The r...

CVE-2010-3449

CVE-2010-3449 is a CSRF flaw in Redback (used by Apache Archiva and Apache Continuum) that allows an attacker to hijack administrator sessions to modify credentials. Affected products include Archiva 1.0–1.3.1 (and related Continuum versions) with Redback versions before 1.2.4 used for authentica...

CVE-2011-0533

CVE-2011-0533 is a cross-site scripting (XSS) vulnerability affecting Apache Continuum and Archiva. The issue allows remote attackers to inject arbitrary web script or HTML via a crafted parameter related to the autoIncludeParameters setting for the extremecomponents table in affected versions. A...

CVE-2010-4408

CVE-2010-4408 affects Apache Archiva 1.0–1.3.1. The issue is a cross-site request forgery (CSRF) vulnerability that, due to not requiring the administrator’s password when modifying a user account, could allow context-dependent attackers to gain privileges (e.g., via an unattended workstation or ...

CVE-2011-1077

Apache Archiva is affected by multiple cross-site scripting (XSS) vulnerabilities in versions 1.0–1.2.2 and 1.3.x before 1.3.5. The issues allow remote attackers to inject arbitrary web script or HTML via unspecified vectors; exploitation could compromise user sessions and/or perform actions with...

CVE-2011-1026

Apache Archiva is affected by CSRF vulnerabilities (CVE-2011-1026) in Archiva 1.0–1.2.2 and 1.3.x before 1.3.5. The issues allow remote attackers to hijack administrator sessions, potentially compromising the entire application. Affected component: Archiva web admin/session handling; vulnerabilit...