cbcvebase.
CVE-2004-2320
published 2004-12-31

CVE-2004-2320: The default configuration of BEA WebLogic Server and Express 8.1 SP2 and earlier, 7.0 SP4 and earlier, 6.1 through SP6, and 5.1 through SP13 responds to the…

PriorityP418medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
2.56%
83.1th percentile
The default configuration of BEA WebLogic Server and Express 8.1 SP2 and earlier, 7.0 SP4 and earlier, 6.1 through SP6, and 5.1 through SP13 responds to the HTTP TRACE request, which can allow remote attackers to steal information using cross-site tracing (XST) attacks in applications that are vulnerable to cross-site scripting.

Affected

14 ranges
VendorProductVersion rangeFixed in
beaweblogic_server
beaweblogic_server
beaweblogic_server
beaweblogic_server
mbedthis_softwarembedthis_appweb_http_server
mbedthis_softwarembedthis_appweb_http_server
mbedthis_softwarembedthis_appweb_http_server
mbedthis_softwarembedthis_appweb_http_server
mbedthis_softwarembedthis_appweb_http_server
mbedthis_softwarembedthis_appweb_http_server
mbedthis_softwarembedthis_appweb_http_server
mbedthis_softwarembedthis_appweb_http_server
mbedthis_softwarembedthis_appweb_http_server
mbedthis_softwarembedthis_appweb_http_server

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
vendor_redhat5.8MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.