Search for packages
| purl | pkg:deb/debian/axis@1.4-28%2Bdeb12u1?distro=trixie |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-8uy7-21ts-b3aj | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in axis2-admin/axis2-admin/engagingglobally in the administration console in Apache Axis2/Java 1.4.1, 1.5.1, and possibly other versions, as used in SAP Business Objects 12, 3com IMC, and possibly other products, allows remote attackers to inject arbitrary web script or HTML via the modules parameter. NOTE: some of these details are obtained from third party information. |
CVE-2010-2103
GHSA-23x8-j7hm-5xwf |
| VCID-hj44-args-tfa4 | Man-in-the-middle attack in Apache Axis Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
CVE-2012-5784
GHSA-55w9-c3g2-4rrh |
| VCID-jdjt-ey4h-z3az | Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services. |
CVE-2018-8032
GHSA-96jq-75wh-2658 |
| VCID-xydr-nxmx-wffp | Improper Validation of Certificate with Host Mismatch The `getCN` function in Apache Axis does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or `subjectAltName` field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the `CN` field. |
CVE-2014-3596
GHSA-r53v-vm87-f72c |
| VCID-zgre-mq7s-ebch | Apache Axis 1.x (EOL) may allow RCE when untrusted input is passed to getService When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through "ServiceFactory.getService" allows potentially dangerous lookup mechanisms such as LDAP. When passing untrusted input to this API method, this could expose the application to DoS, SSRF and even attacks leading to RCE. As Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. As a workaround, you may review your code to verify no untrusted or unsanitized input is passed to "ServiceFactory.getService", or by applying the patch from https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 . The Apache Axis project does not expect to create an Axis 1.x release fixing this problem, though contributors that would like to work towards this are welcome. |
CVE-2023-40743
GHSA-rmqp-9w4c-gc7w |