CVSS: 7.5EPSS: 0%CPEs: 21EXPL: 0CVE-2017-7660
https://notcve.org/view.php?id=CVE-2017-7660
Apache Solr uses a PKI based mechanism to secure inter-node communication when security is enabled. It is possible to create a specially crafted node name that does not exist as part of the cluster and point it to a malicious node. This can trick the nodes in cluster to believe that the malicious node is a member of the cluster. So, if Solr users have enabled BasicAuth authentication mechanism using the BasicAuthPlugin or if the user has implemented a custom Authentication plugin, which does not implement either "HttpClientInterceptorPlugin" or "HttpClientBuilderPlugin", his/her servers are vulnerable to this attack. Users who only use SSL without basic authentication or those who use Kerberos are not affected. • http://mail-archives.us.apache.org/mod_mbox/www-announce/201707.mbox/%3CCAOOKt53EgrybaD%2BiSn-nBbvFdse-szhg%3DhMoDZuvUvyMme-Z%3Dg%40mail.gmail.com%3E http://www.securityfocus.com/bid/99485 https://security.netapp.com/advisory/ntap-20181127-0003 • CWE-287: Improper Authentication •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2015-8795
https://notcve.org/view.php?id=CVE-2015-8795
Multiple cross-site scripting (XSS) vulnerabilities in the Admin UI in Apache Solr before 5.1 allow remote attackers to inject arbitrary web script or HTML via crafted fields that are mishandled during the rendering of the (1) Analysis page, related to webapp/web/js/scripts/analysis.js or (2) Schema-Browser page, related to webapp/web/js/scripts/schema-browser.js. Múltiples vulnerabilidades de XSS en la Admin UI en Apache Solr en versiones anteriores a 5.1 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de campos manipulados que no se manejan correctamente durante el renderizado de la página (1) Analysis, relacionado con webapp/web/js/scripts/analysis.js o (2) Schema-Browser, relacionado con webapp/web/js/scripts/schema-browser.js. • https://issues.apache.org/jira/browse/SOLR-7346 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 3%CPEs: 1EXPL: 0CVE-2015-8797
https://notcve.org/view.php?id=CVE-2015-8797
Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/plugins.js in the stats page in the Admin UI in Apache Solr before 5.3.1 allows remote attackers to inject arbitrary web script or HTML via the entry parameter to a plugins/cache URI. Vulnerabilidad de XSS en webapp/web/js/scripts/plugins.js en la página de inicio en la Admin UI en Apache Solr en versiones anteriores a 5.3.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un parámetro de entrada a una URI plugins/cache. • http://www-01.ibm.com/support/docview.wss?uid=swg21975544 https://issues.apache.org/jira/browse/SOLR-7949 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 3%CPEs: 1EXPL: 0CVE-2015-8796
https://notcve.org/view.php?id=CVE-2015-8796
Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/schema-browser.js in the Admin UI in Apache Solr before 5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted schema-browse URL. Vulnerabilidad de XSS en webapp/web/js/scripts/schema-browser.js en la Admin UI en Apache Solr en versiones anteriores a 5.3 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de una URL de navegación del esquema manipulada. • http://www.securityfocus.com/bid/85205 https://issues.apache.org/jira/browse/SOLR-7920 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2015-5506
https://notcve.org/view.php?id=CVE-2015-5506
The Apache Solr Real-Time module 7.x-1.x before 7.x-1.2 for Drupal does not check the status of an entity when indexing, which allows remote attackers to obtain information about unpublished content via a search. Vulnerabilidad en el módulo Apache Solr Real-Time 7.x-1.x en versiones anteriores a 7.x-1.2 para Drupal, no comprueba el estado de una entidad cuando indexa, lo que permite a atacantes remotos obtener información sobre contenido no publicado a través de una búsqueda. • http://www.openwall.com/lists/oss-security/2015/07/04/4 http://www.securityfocus.com/bid/75275 https://www.drupal.org/node/2489890 https://www.drupal.org/node/2507581 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •