The distributed queue feature in JMS in BEA WebLogic Server 9.0 through 10.0, in certain configurations, does not properly handle when a client cannot send a message to a member of a distributed queue, which allows remote authenticated users to bypass intended access restrictions for protected distributed queues.
Max CVSS
5.8
EPSS Score
0.26%
Published
2008-02-22
Updated
2011-03-08
BEA WebLogic Server and WebLogic Express 9.0 and 9.1 exposes the web service's WSDL and security policies, which allows remote attackers to obtain sensitive information and potentially launch further attacks.
Max CVSS
5.0
EPSS Score
0.29%
Published
2008-02-21
Updated
2011-03-08
portal/server.pt in the Plumtree portal in BEA AquaLogic Interaction 5.0.2 through 5.0.4 and 6.0.1.218452 allows wildcards in advanced searches for usernames, which allows remote attackers to enumerate valid usernames via the in_tx_fulltext parameter.
Max CVSS
5.0
EPSS Score
2.36%
Published
2007-12-01
Updated
2018-10-15
The Plumtree portal in BEA AquaLogic Interaction 5.0.2 through 5.0.4 and 6.0.1.218452 allows remote attackers to obtain version numbers and internal hostnames by reading comments in the HTML source of any page.
Max CVSS
5.0
EPSS Score
0.89%
Published
2007-12-01
Updated
2018-10-15
BEA WebLogic Server 9.0 through 9.2 allows remote attackers to cause a denial of service (SSL port unavailability) by accessing a half-closed SSL socket.
Max CVSS
5.4
EPSS Score
2.76%
Published
2007-05-16
Updated
2017-07-29
The Administration Console in BEA WebLogic Server 9.0 may show plaintext Web Service attributes during configuration creation, which allows remote attackers to obtain sensitive credential information.
Max CVSS
5.0
EPSS Score
1.14%
Published
2007-05-16
Updated
2017-07-29
The embedded LDAP server in BEA WebLogic Express and WebLogic Server 7.0 through SP6, 8.1 through SP5, 9.0, and 9.1, when in certain configurations, does not limit or audit failed authentication attempts, which allows remote attackers to more easily conduct brute-force attacks against the administrator password, or flood the server with login attempts and cause a denial of service.
Max CVSS
5.1
EPSS Score
1.90%
Published
2007-05-16
Updated
2017-07-29
The HttpClusterServlet and HttpProxyServlet in BEA WebLogic Express and WebLogic Server 6.1 through SP7, 7.0 through SP7, 8.1 through SP5, 9.0, and 9.1, when SecureProxy is enabled, may process "external requests on behalf of a system identity," which allows remote attackers to access administrative data or functionality.
Max CVSS
5.1
EPSS Score
1.40%
Published
2007-05-16
Updated
2017-07-29
Unspecified vulnerability in the BEA WebLogic Server proxy plug-in for Netscape Enterprise Server before September 2006 for Netscape Enterprise Server allow remote attackers to cause a denial of service via certain requests that trigger errors that lead to a server being marked as unavailable, hosting web server failure, or CPU consumption.
Max CVSS
5.0
EPSS Score
2.52%
Published
2007-01-23
Updated
2011-03-08
BEA WebLogic Server 9.0, 9.1, and 9.2 Gold, when running on Solaris 9, allows remote attackers to cause a denial of service (server inaccessibility) via manipulated socket connections.
Max CVSS
5.0
EPSS Score
2.52%
Published
2007-01-23
Updated
2011-03-08
BEA WebLogic Server 9.0, 9.1, and 9.2 Gold allows remote attackers to obtain sensitive information via malformed HTTP requests, which reveal data from previous requests.
Max CVSS
5.0
EPSS Score
0.78%
Published
2007-01-23
Updated
2011-03-08
The BEA WebLogic Server proxy plug-in before June 2006 for the Apache HTTP Server does not properly handle protocol errors, which allows remote attackers to cause a denial of service (server outage).
Max CVSS
5.0
EPSS Score
2.52%
Published
2007-01-23
Updated
2011-03-08
BEA WebLogic Server 8.1 through 8.1 SP5 does not properly enforce access control after a dynamic update and dynamic redeployment of an application that is implemented through exploded jars, which allows attackers to bypass intended access restrictions.
Max CVSS
5.0
EPSS Score
0.88%
Published
2007-01-23
Updated
2011-03-08
BEA WebLogic Server 6.1 through 6.1 SP7, 7.0 through 7.0 SP6, 8.1 through 8.1 SP5, and 9.0 allows remote attackers to cause a denial of service (server hang) via certain requests that cause muxer threads to block when processing error pages.
Max CVSS
5.0
EPSS Score
2.52%
Published
2007-01-23
Updated
2011-03-08
BEA WebLogic Server 6.1 through 6.1 SP7, 7.0 through 7.0 SP7, and 8.1 through 8.1 SP5 allows remote attackers to read arbitrary files inside the class-path property via .ear or exploded .ear files that use the manifest class-path property to point to utility jar files.
Max CVSS
5.0
EPSS Score
0.86%
Published
2007-01-23
Updated
2018-10-17
Unspecified vulnerability in the thread management in BEA WebLogic 7.0 through 7.0 SP6, 8.1 through 8.1 SP5, 9.0, and 9.1, when T3 authentication is used, allows remote attackers to cause a denial of service (thread and system hang) via unspecified "sequences of events."
Max CVSS
5.0
EPSS Score
0.90%
Published
2007-01-23
Updated
2018-10-17
A recommended admin password reset mechanism for BEA WebLogic Server 8.1, when followed before October 10, 2005, causes the administrator password to be stored in cleartext in the domain directory, which could allow attackers to gain privileges.
Max CVSS
5.0
EPSS Score
0.51%
Published
2006-05-23
Updated
2017-07-20
Multiple vulnerabilities in BEA WebLogic Server 8.1 through SP4, 7.0 through SP6, and 6.1 through SP7 leak sensitive information to remote attackers, including (1) DNS and IP addresses to address to T3 clients, (2) internal sensitive information using GetIORServlet, (3) certain "server details" in exceptions when invalid XML is provided, and (4) a stack trace in a SOAP fault.
Max CVSS
5.0
EPSS Score
1.19%
Published
2006-05-19
Updated
2017-07-20
BEA WebLogic Server 8.1 before Service Pack 4 and 7.0 before Service Pack 6, may send sensitive data over non-secure channels when using JTA transactions, which allows remote attackers to read potentially sensitive network traffic.
Max CVSS
5.0
EPSS Score
1.55%
Published
2006-05-19
Updated
2017-07-20
BEA WebLogic Server before 8.1 Service Pack 4 does not properly set the Quality of Service in certain circumstances, which prevents some transmissions from being encrypted via SSL, and allows remote attackers to more easily read potentially sensitive network traffic.
Max CVSS
5.0
EPSS Score
1.55%
Published
2006-05-19
Updated
2017-07-20
BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, 7.0 SP6 and earlier, and WebLogic Server 6.1 SP7 and earlier allow remote attackers to cause a denial of service (memory exhaustion) via crafted non-canonicalized XML documents.
Max CVSS
5.0
EPSS Score
2.52%
Published
2006-03-22
Updated
2017-07-20
BEA WebLogic Server 6.1 SP7 and earlier allows remote attackers to read arbitrary files via unknown attack vectors related to a "default internal servlet" accessed through HTTP.
Max CVSS
5.0
EPSS Score
1.43%
Published
2006-03-22
Updated
2017-07-20
Certain configurations of BEA WebLogic Server and WebLogic Express 9.0, 8.1 through SP5, and 7.0 through SP6, when connection filters are enabled, cause the server to run more slowly, which makes it easier for remote attackers to cause a denial of service (server slowdown).
Max CVSS
5.0
EPSS Score
2.32%
Published
2006-01-25
Updated
2017-07-20
BEA WebLogic Server and WebLogic Express 8.1 through SP4 and 7.0 through SP6 does not properly handle when servlets use relative forwarding, which allows remote attackers to cause a denial of service (slowdown) via unknown attack vectors that cause "looping stack overflow errors."
Max CVSS
5.0
EPSS Score
0.40%
Published
2006-01-25
Updated
2008-09-05
BEA WebLogic Server and WebLogic Express 8.1 SP5 and earlier, and 7.0 SP6 and earlier, when using username/password authentication, does not lock out a username after the maximum number of invalid login attempts, which makes it easier for remote attackers to guess the password.
Max CVSS
5.1
EPSS Score
0.38%
Published
2005-12-31
Updated
2008-09-05
54 vulnerabilities found
1 2 3
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!