CVE-2018-8032

Home/CVE/Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/serv

CVE

Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/serv

Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services.

MEDIUM · CVSS 6.1 EPSS 0.01707

Monitor

No active-exploitation, high-EPSS, or public-exploit signals - routine patching cadence

Sigma rules0 YARA rules0

⬡

Weakness Classification

CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

▤

Affected Products & Versions

apache axis>= 1.0 and <= 1.4
oracle agile engineering data managementall versions
oracle agile product lifecycle managementall versions
oracle application testing suiteall versions
oracle big data discoveryall versions
oracle communications asap cartridgesall versions
oracle communications design studioall versions
oracle communications element managerall versions
Show all 31 affected productsoracle communications network integrityall versions
oracle communications order and service managementall versions
oracle communications session report managerall versions
oracle communications session route managerall versions
oracle endeca information discovery studioall versions
oracle enterprise manager base platformall versions
oracle enterprise manager for fusion middlewareall versions
oracle financial services analytical applications infrastructure>= 7.3.3 and <= 7.3.5
oracle financial services analytical applications infrastructure>= 8.0.0 and <= 8.0.8
oracle financial services compliance regulatory reporting>= 8.0.6 and <= 8.0.8
oracle financial services funds transfer pricing>= 8.0.2 and <= 8.0.7
oracle flexcube core bankingall versions
oracle flexcube private bankingall versions
oracle hospitality guest accessall versions
oracle instantis enterprisetrackall versions
oracle internet directoryall versions
oracle knowledge>= 8.6.0 and <= 8.6.3
oracle peoplesoft enterprise human capital management human resourcesall versions
oracle peoplesoft enterprise peopletoolsall versions
oracle policy automation connector for siebelall versions
oracle primavera gatewayall versions
oracle primavera unifier>= 17.7 and <= 17.12
oracle primavera unifierall versions

▤

Affected Packages

Language-ecosystem packages (from OSV) tied to this CVE, with the version that fixes it - the dependency-level detail NVD doesn’t carry.

Maven axis:axis MODERATE

Maven org.apache.axis:axis MODERATE

▣

Scoring & Timeline

6.1

MEDIUM · CVSS v3.1 · security@apache.org

View on NVD

Attack Vector

Network Adjacent Local Physical

Attack Complexity

Low High

Privileges Required

None Low High

User Interaction

None Required

Scope

Unchanged Changed

Confidentiality

None Low High

Integrity

None Low High

Availability

None Low High

Published to NVD02 Aug 2018 · 01:29 PM

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

⚑

Vendor Advisories

suse-csafopenSUSE-SU-2024:10646-1
suse-csafSUSE-SU-2018:3118-1
suse-csafSUSE-SU-2018:3119-1
suse-csafSUSE-SU-2018:3121-1

🔗

References & Sources

Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.

http://mail-archives.apache.org/mod_mbox/axis-java-dev/201807.mbox/%3CJIRA.13170716.1531060536000.93536.1531060560060%40Atlassian.JIRA%3E

https://issues.apache.org/jira/browse/AXIS-2924Issue TrackingPatchVendor Advisory

https://lists.apache.org/thread.html/3b89bc9e9d055db7eba8835ff6501f3f5db99d2a0928ec0be9b1d17b%40%3Cjava-dev.axis.apache.org%3E

https://lists.apache.org/thread.html/d06ed5e4eeb77d00e8d594ec01ee8ee1cba173a01ac4b18f1579d041%40%3Cjava-dev.axis.apache.org%3E

https://lists.debian.org/debian-lts-announce/2021/11/msg00015.htmlMailing ListThird Party Advisory

https://security.netapp.com/advisory/ntap-20240621-0006/

Show all 15 references

https://www.oracle.com/security-alerts/cpuApr2021.htmlThird Party Advisory

https://www.oracle.com/security-alerts/cpuapr2020.htmlThird Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory

https://www.oracle.com/security-alerts/cpujan2020.htmlThird Party Advisory

https://www.oracle.com/security-alerts/cpujan2021.htmlThird Party Advisory

https://www.oracle.com/security-alerts/cpujul2020.htmlThird Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

https://www.oracle.com/security-alerts/cpuoct2021.htmlThird Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlPatchThird Party Advisory

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

NVD CVE.org CISA Vulners Exploit-DB GitHub PoC VulnCheck KEV GreyNoise

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin