CVE-2004-2320
published 2004-12-31CVE-2004-2320: The default configuration of BEA WebLogic Server and Express 8.1 SP2 and earlier, 7.0 SP4 and earlier, 6.1 through SP6, and 5.1 through SP13 responds to the…
PriorityP418medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
2.56%
83.1th percentile
The default configuration of BEA WebLogic Server and Express 8.1 SP2 and earlier, 7.0 SP4 and earlier, 6.1 through SP6, and 5.1 through SP13 responds to the HTTP TRACE request, which can allow remote attackers to steal information using cross-site tracing (XST) attacks in applications that are vulnerable to cross-site scripting.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bea | weblogic_server | — | — |
| bea | weblogic_server | — | — |
| bea | weblogic_server | — | — |
| bea | weblogic_server | — | — |
| mbedthis_software | mbedthis_appweb_http_server | — | — |
| mbedthis_software | mbedthis_appweb_http_server | — | — |
| mbedthis_software | mbedthis_appweb_http_server | — | — |
| mbedthis_software | mbedthis_appweb_http_server | — | — |
| mbedthis_software | mbedthis_appweb_http_server | — | — |
| mbedthis_software | mbedthis_appweb_http_server | — | — |
| mbedthis_software | mbedthis_appweb_http_server | — | — |
| mbedthis_software | mbedthis_appweb_http_server | — | — |
| mbedthis_software | mbedthis_appweb_http_server | — | — |
| mbedthis_software | mbedthis_appweb_http_server | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
vendor_redhat5.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-522h-48w5-75fm: Mbedthis AppWeb before 2
ghsa_unreviewed·2022-05-01·CVSS 5.8
CVE-2007-3008 [MEDIUM] CWE-79 GHSA-522h-48w5-75fm: Mbedthis AppWeb before 2
Mbedthis AppWeb before 2.2.2 enables the HTTP TRACE method, which has unspecified impact probably related to remote information leaks and cross-site tracing (XST) attacks, a related issue to CVE-2004-2320 and CVE-2005-3398.
GHSA
GHSA-j9r3-w4r5-872h: The default configuration of BEA WebLogic Server and Express 8
ghsa_unreviewed·2022-04-29
CVE-2004-2320 [MEDIUM] CWE-200 GHSA-j9r3-w4r5-872h: The default configuration of BEA WebLogic Server and Express 8
The default configuration of BEA WebLogic Server and Express 8.1 SP2 and earlier, 7.0 SP4 and earlier, 6.1 through SP6, and 5.1 through SP13 responds to the HTTP TRACE request, which can allow remote attackers to steal information using cross-site tracing (XST) attacks in applications that are vulnerable to cross-site scripting.
Red Hat
CVE-2004-2320: The default configuration of BEA WebLogic Server and Express 8
vendor_redhat·CVSS 5.8
CVE-2004-2320 [MEDIUM] CVE-2004-2320: The default configuration of BEA WebLogic Server and Express 8
The default configuration of BEA WebLogic Server and Express 8.1 SP2 and earlier, 7.0 SP4 and earlier, 6.1 through SP6, and 5.1 through SP13 responds to the HTTP TRACE request, which can allow remote attackers to steal information using cross-site tracing (XST) attacks in applications that are vulnerable to cross-site scripting.
Statement: The Apache Software Foundation do not treat this as a security issue. A configuration change can be made to disable the ability to respond to HTTP TRACE requests if required.
For more information please see:
http://www.apacheweek.com/issues/03-01-24#news
Red Hat
CVE-2007-3008: Mbedthis AppWeb before 2
vendor_redhat·CVSS 5.8
CVE-2007-3008 [MEDIUM] CVE-2007-3008: Mbedthis AppWeb before 2
Mbedthis AppWeb before 2.2.2 enables the HTTP TRACE method, which has unspecified impact probably related to remote information leaks and cross-site tracing (XST) attacks, a related issue to CVE-2004-2320 and CVE-2005-3398.
Statement: The Apache Software Foundation do not treat this as a security issue. A configuration change can be made to disable the ability to respond to HTTP TRACE requests if required.
For more information please see:
http://www.apacheweek.com/issues/03-01-24#news
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://dev2dev.bea.com/pub/advisory/68http://secunia.com/advisories/10726http://www.kb.cert.org/vuls/id/867593http://www.osvdb.org/3726http://www.securityfocus.com/bid/9506http://www.securitytracker.com/alerts/2004/Jan/1008866.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/14959http://dev2dev.bea.com/pub/advisory/68http://secunia.com/advisories/10726http://www.kb.cert.org/vuls/id/867593http://www.osvdb.org/3726http://www.securityfocus.com/bid/9506http://www.securitytracker.com/alerts/2004/Jan/1008866.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/14959
2004-12-31
Published