CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2024-38472 – Apache HTTP Server on WIndows UNC SSRF
https://notcve.org/view.php?id=CVE-2024-38472
SSRF in Apache HTTP Server on Windows allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.60 which fixes this issue. Note: Existing configurations that access UNC paths will have to configure new directive "UNCList" to allow access during request processing. SSRF en el servidor Apache HTTP en Windows permite potencialmente filtrar hashes NTML a un servidor malicioso a través de SSRF y solicitudes o contenido maliciosos. Se recomienda a los usuarios actualizar a la versión 2.4.60, que soluciona este problema. Nota: Las configuraciones existentes que acceden a rutas UNC deberán configurar la nueva directiva "UNCList" para permitir el acceso durante el procesamiento de solicitudes. • https://github.com/Abdurahmon3236/CVE-2024-38472 https://httpd.apache.org/security/vulnerabilities_24.html https://security.netapp.com/advisory/ntap-20240712-0001 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: -EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36387 – Apache HTTP Server: DoS by Null pointer in websocket over HTTP/2
https://notcve.org/view.php?id=CVE-2024-36387
Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance. Ofrecer actualizaciones del protocolo WebSocket a través de una conexión HTTP/2 podría provocar una desreferencia del puntero nulo, lo que provocaría una falla del proceso del servidor y degradaría el rendimiento. • https://httpd.apache.org/security/vulnerabilities_24.html https://security.netapp.com/advisory/ntap-20240712-0001 • CWE-476: NULL Pointer Dereference •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 1CVE-2024-29868 – Apache StreamPipes, Apache StreamPipes: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Recovery Token Generation
https://notcve.org/view.php?id=CVE-2024-29868
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism. This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account. This issue affects Apache StreamPipes: from 0.69.0 through 0.93.0. Users are recommended to upgrade to version 0.95.0, which fixes the issue. Uso de la vulnerabilidad del generador de números pseudoaleatorios (PRNG) criptográficamente débil en el mecanismo de autorregistro de usuarios y recuperación de contraseñas de Apache StreamPipes. Esto permite a un atacante adivinar el token de recuperación en un tiempo razonable y así hacerse cargo de la cuenta del usuario atacado. Este problema afecta a Apache StreamPipes: desde 0.69.0 hasta 0.93.0. Se recomienda a los usuarios actualizar a la versión 0.95.0, que soluciona el problema. • https://github.com/DEVisions/CVE-2024-29868 https://lists.apache.org/thread/g7t7zctvq2fysrw1x17flnc12592nhx7 • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) •
CVSS: -EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27136 – Apache JSPWiki: Cross-site scripting vulnerability on upload page
https://notcve.org/view.php?id=CVE-2024-27136
XSS in Upload page in Apache JSPWiki 2.12.1 and priors allows the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.2 or later. XSS en la página de carga en Apache JSPWiki 2.12.1 y versiones anteriores permite al atacante ejecutar javascript en el navegador de la víctima y obtener información confidencial sobre la víctima. Los usuarios de Apache JSPWiki deben actualizar a 2.12.2 o posterior. • https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2024-27136 https://lists.apache.org/thread/gfms8gbncqqkj52p861b8fnsypwsl1d5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: -EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38379 – Apache Allura: Stored authenticated XSS
https://notcve.org/view.php?id=CVE-2024-38379
Apache Allura's neighborhood settings are vulnerable to a stored XSS attack. Only neighborhood admins can access these settings, so the scope of risk is limited to configurations where neighborhood admins are not fully trusted. This issue affects Apache Allura: from 1.4.0 through 1.17.0. Users are recommended to upgrade to version 1.17.1, which fixes the issue. La configuración del vecindario de Apache Allura es vulnerable a un ataque XSS almacenado. Solo los administradores de vecindario pueden acceder a estas configuraciones, por lo que el alcance del riesgo se limita a configuraciones en las que no se confía plenamente en los administradores de vecindario. Este problema afecta a Apache Allura: desde 1.4.0 hasta 1.17.0. • https://lists.apache.org/thread/2lb6vp00sj2b2snpmhff5lyortxjsnrp • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •