Multiple cross-site scripting (XSS) vulnerabilities in BEA WebLogic Server and Express 6.1 through 10.0 MP1 allow remote attackers to inject arbitrary web script or HTML via unspecified samples. NOTE: this might be the same issue as CVE-2007-2694.
Max CVSS
4.3
EPSS Score
0.24%
Published
2008-02-22
Updated
2011-03-08
Cross-site scripting (XSS) vulnerability in the Administration Console in BEA WebLogic Server and Express 9.0 through 10.0 allows remote attackers to inject arbitrary web script or HTML via URLs that are not properly handled by the Unexpected Exception Page.
Max CVSS
4.3
EPSS Score
0.28%
Published
2008-02-22
Updated
2011-03-08
Cross-site scripting (XSS) vulnerability in BEA WebLogic Workshop 8.1 through SP6 and Workshop for WebLogic 9.0 through 10.0 allows remote attackers to inject arbitrary web script or HTML via a "framework defined request parameter" when using WebLogic Workshop or Apache Beehive NetUI framework with page flows.
Max CVSS
4.3
EPSS Score
0.32%
Published
2008-02-21
Updated
2011-03-08
Multiple cross-site scripting (XSS) vulnerabilities in BEA WebLogic Workshop allow remote attackers to inject arbitrary web script or HTML via an invalid action URI, which is not properly handled by NetUI page flows.
Max CVSS
4.3
EPSS Score
0.28%
Published
2008-02-21
Updated
2011-03-08
The JMS Message Bridge in BEA WebLogic Server 7.0 through SP7 and 8.1 through Service Pack 6, when configured without a username and password, or when the connection URL is not defined, allows remote attackers to bypass the security access policy and "send unauthorized messages to a protected queue."
Max CVSS
4.6
EPSS Score
0.93%
Published
2007-05-16
Updated
2017-07-29
The WLST script generated by the configToScript command in BEA WebLogic Express and WebLogic Server 9.0 and 9.1 does not encrypt certain attributes in configuration files when creating a new domain, which allows remote authenticated users to obtain sensitive information.
Max CVSS
4.0
EPSS Score
0.53%
Published
2007-05-16
Updated
2017-07-29
Multiple cross-site scripting (XSS) vulnerabilities in BEA WebLogic Express and WebLogic Server 6.1 through SP7, 7.0 through SP7, 8.1 through SP5, 9.0 GA, and 9.1 GA allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Max CVSS
4.3
EPSS Score
0.61%
Published
2007-05-16
Updated
2011-03-08
BEA AquaLogic Enterprise Security 2.0 through 2.0 SP2, 2.1 through 2.1 SP1, and 2.2 does not properly set the severity level of audit events when the system load is high, which might make it easier for attackers to avoid detection.
Max CVSS
4.6
EPSS Score
0.06%
Published
2007-01-23
Updated
2008-11-13
BEA WebLogic Server 8.1 through 8.1 SP5 stores cleartext data in a backup of config.xml after offline editing, which allows local users to obtain sensitive information by reading this backup file.
Max CVSS
4.4
EPSS Score
0.04%
Published
2007-01-23
Updated
2011-03-08
Unspecified vulnerability in BEA WebLogic Server 9.1 and 9.0, 8.1 through SP5, 7.0 through SP6, and 6.1 through SP7 allows untrusted applications to obtain private server keys.
Max CVSS
4.9
EPSS Score
0.07%
Published
2006-05-19
Updated
2017-07-20
The WebLogic Server Administration Console in BEA WebLogic Server 8.1 up to SP4 and 7.0 up to SP6 displays the domain name in the Console login form, which allows remote attackers to obtain sensitive information.
Max CVSS
4.0
EPSS Score
0.22%
Published
2006-05-19
Updated
2017-07-20
BEA WebLogic Server 8.1 up to SP4, 7.0 up to SP6, and 6.1 up to SP7 displays the internal IP address of the WebLogic server in the WebLogic Server Administration Console, which allows remote authenticated administrators to determine the address.
Max CVSS
4.0
EPSS Score
0.31%
Published
2006-05-19
Updated
2017-07-20
stopWebLogic.sh in BEA WebLogic Server 8.1 before Service Pack 4 and 7.0 before Service Pack 6 displays the administrator password to stdout when executed, which allows local users to obtain the password by viewing a local display.
Max CVSS
4.6
EPSS Score
0.04%
Published
2006-05-19
Updated
2017-07-20
BEA WebLogic Server and WebLogic Express 8.1 through SP4, 7.0 through SP6, and 6.1 through SP7 allows remote authenticated guest users to read the server log and obtain sensitive configuration information.
Max CVSS
4.0
EPSS Score
0.33%
Published
2006-01-25
Updated
2017-07-20
By design, BEA WebLogic Server and WebLogic Express 7.0 and 6.1, when creating multiple domains from the same WebLogic instance on the same machine, allows administrators of any created domain to access other created domains, which could allow administrators to gain privileges that were not intended.
Max CVSS
4.6
EPSS Score
0.07%
Published
2006-01-25
Updated
2017-07-20
Unspecified vulnerability in the Administration server in BEA WebLogic Server and WebLogic Express 8.1 SP3 and earlier allows remote authenticated Admin users to read arbitrary files via unknown attack vectors related to an "internal servlet" accessed through HTTP.
Max CVSS
4.0
EPSS Score
0.11%
Published
2005-12-31
Updated
2018-09-27
BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, and 7.0 SP6 and earlier, might allow local users to gain privileges by using the run-as deployment descriptor element to change the privileges of a web application or EJB from the Deployer security role to the Admin security role.
Max CVSS
4.6
EPSS Score
0.04%
Published
2005-12-31
Updated
2018-09-27
BEA Systems WebLogic 8.1 SP1 allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes WebLogic to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."
Max CVSS
4.3
EPSS Score
10.05%
Published
2005-07-05
Updated
2017-07-11
The UserLogin control in BEA WebLogic Portal 8.1 through Service Pack 3 prints the password to standard output when an incorrect login attempt is made, which could make it easier for attackers to guess the correct password.
Max CVSS
4.6
EPSS Score
0.12%
Published
2005-05-24
Updated
2018-10-30
BEA WebLogic Server and WebLogic Express version 8.1 up to SP2, 7.0 up to SP4, and 6.1 up to SP6 may store the database username and password for an untargeted JDBC connection pool in plaintext in config.xml, which allows local users to gain privileges.
Max CVSS
4.6
EPSS Score
0.05%
Published
2004-04-13
Updated
2017-07-11
BEA WebLogic Server and Express 8.1, SP1 and earlier, stores the administrator password in cleartext in config.xml, which allows local users to gain privileges.
Max CVSS
4.6
EPSS Score
0.04%
Published
2004-12-31
Updated
2017-07-11
The configuration tools (1) config.sh in Unix or (2) config.cmd in Windows for BEA WebLogic Server 8.1 through SP2 create a log file that contains the administrative username and password in cleartext, which could allow local users to gain privileges.
Max CVSS
4.6
EPSS Score
0.04%
Published
2004-07-27
Updated
2017-07-11
Race condition in BEA WebLogic Server and Express 5.1 through 7.0.0.1, when using in-memory session replication or replicated stateful session beans, causes the same buffer to be provided to two users, which could allow one user to see session data that was intended for another user.
Max CVSS
4.3
EPSS Score
0.20%
Published
2003-12-31
Updated
2017-07-29
BEA WebLogic Server and Express 7.0 and 7.0.0.1, when using "memory" session persistence for web applications, does not clear authentication information when a web application is redeployed, which could allow users of that application to gain access without having to re-authenticate.
Max CVSS
4.6
EPSS Score
0.06%
Published
2003-03-18
Updated
2017-07-11
BEA WebLogic Server 6.1, 7.0 and 7.0.0.1, when routing messages to a JMS target domain that is inaccessible, may leak the user's password when it throws a ResourceAllocationException.
Max CVSS
4.6
EPSS Score
0.06%
Published
2003-12-31
Updated
2017-07-11
28 vulnerabilities found
1 2
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!