cbcvebase.

Bea Weblogic Server vulnerabilities

146 known vulnerabilities affecting bea/weblogic_server.

Total CVEs
146
CISA KEV
0
Public exploits
12
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH31MEDIUM92LOW16

Vulnerabilities

Page 1 of 8
CVE-2008-3257P2CRITICALCVSS 10.0PoCv3.1.8v4.0+14 more2008-07-22
CVE-2008-3257 [CRITICAL] CWE-119 CVE-2008-3257: Stack-based buffer overflow in the Apache Connector (mod_wl) in Oracle WebLogic Server (formerly BEA Stack-based buffer overflow in the Apache Connector (mod_wl) in Oracle WebLogic Server (formerly BEA WebLogic Server) 10.3 and earlier allows remote attackers to execute arbitrary code via a long HTTP version string, as demonstrated by a string after "POST /.jsp" in an HTTP request.
nvd
CVE-2004-0204P3HIGHCVSS 7.5PoCv8.12004-08-06
CVE-2004-0204 [HIGH] CVE-2004-0204: Directory traversal vulnerability in the web viewers for Business Objects Crystal Reports 9 and 10, Directory traversal vulnerability in the web viewers for Business Objects Crystal Reports 9 and 10, and Crystal Enterprise 9 or 10, as used in Visual Studio .NET 2003 and Outlook 2003 with Business Contact Manager, Microsoft Business Solutions CRM 1.2, and other products, allows remote attackers to read and delete arbitrary files via ".." sequences in the dynami
nvd
CVE-2001-0098P3CRITICALCVSS 10.0PoC≤ 4.5.22001-02-12
CVE-2001-0098 [CRITICAL] CVE-2001-0098: Buffer overflow in Bea WebLogic Server before 5.1.0 allows remote attackers to execute arbitrary com Buffer overflow in Bea WebLogic Server before 5.1.0 allows remote attackers to execute arbitrary commands via a long URL that begins with a ".." string.
nvd
CVE-2007-2699P3HIGHCVSS 7.1PoCv9.0v9.12007-05-16
CVE-2007-2699 [HIGH] CVE-2007-2699: The Administration Console in BEA WebLogic Express and WebLogic Server 9.0 and 9.1 does not properly The Administration Console in BEA WebLogic Express and WebLogic Server 9.0 and 9.1 does not properly enforce certain Domain Security Policies, which allows remote administrative users in the Deployer role to upload arbitrary files.
nvd
CVE-2010-2375P3MEDIUMCVSS 6.4PoCv7.0v8.1+3 more2010-07-13
CVE-2010-2375 [MEDIUM] CVE-2010-2375: Package/Privilege: Plugins for Apache, Sun and IIS web servers Unspecified vulnerability in the WebL Package/Privilege: Plugins for Apache, Sun and IIS web servers Unspecified vulnerability in the WebLogic Server component in Oracle Fusion Middleware 7.0 SP7, 8.1 SP6, 9.0, 9.1, 9.2 MP3, 10.0 MP2, 10.3.2, and 10.3.3 allows remote attackers to affect confidentiality and integrity, related to IIS.
nvd
CVE-2000-0684P3CRITICALCVSS 10.0PoCv3.1.8v4.0.4+1 more2000-10-20
CVE-2000-0684 [CRITICAL] CVE-2000-0684: BEA WebLogic 5.1.x does not properly restrict access to the JSPServlet, which could allow remote att BEA WebLogic 5.1.x does not properly restrict access to the JSPServlet, which could allow remote attackers to compile and execute Java JSP code by directly invoking the servlet on any source file.
nvd
CVE-2000-0685P3CRITICALCVSS 10.0PoCv3.1.8v4.0.4+1 more2000-10-20
CVE-2000-0685 [CRITICAL] CVE-2000-0685: BEA WebLogic 5.1.x does not properly restrict access to the PageCompileServlet, which could allow re BEA WebLogic 5.1.x does not properly restrict access to the PageCompileServlet, which could allow remote attackers to compile and execute Java JHTML code by directly invoking the servlet on any source file.
nvd
CVE-2000-0681P3CRITICALCVSS 10.0≤ 4.5.22000-10-20
CVE-2000-0681 [CRITICAL] CVE-2000-0681: Buffer overflow in BEA WebLogic server proxy plugin allows remote attackers to execute arbitrary com Buffer overflow in BEA WebLogic server proxy plugin allows remote attackers to execute arbitrary commands via a long URL with a .JSP extension.
nvd
CVE-2003-0621P4MEDIUMCVSS 5.0PoCv4.2v5.0.1+1 more2003-12-01
CVE-2003-0621 [MEDIUM] CVE-2003-0621: The Administration Console for BEA Tuxedo 8.1 and earlier allows remote attackers to determine the e The Administration Console for BEA Tuxedo 8.1 and earlier allows remote attackers to determine the existence of files outside the web root via modified paths in the INIFILE argument.
nvd
CVE-2005-1380P4MEDIUMCVSS 6.8PoCv8.12005-05-03
CVE-2005-1380 [MEDIUM] CVE-2005-1380: Cross-site scripting (XSS) vulnerability in BEA Admin Console 8.1 allows remote attackers to execute Cross-site scripting (XSS) vulnerability in BEA Admin Console 8.1 allows remote attackers to execute arbitrary web script or HTML via the server parameter to a JndiFramesetAction action.
nvd
CVE-2002-0106P4MEDIUMCVSS 5.0PoCv6.12002-03-25
CVE-2002-0106 [MEDIUM] CVE-2002-0106: BEA Systems Weblogic Server 6.1 allows remote attackers to cause a denial of service via a series of BEA Systems Weblogic Server 6.1 allows remote attackers to cause a denial of service via a series of requests to .JSP files that contain an MS-DOS device name.
nvd
CVE-2000-0500P4MEDIUMCVSS 5.0PoCv3.1.8v4.0+2 more2000-06-21
CVE-2000-0500 [MEDIUM] CVE-2000-0500: The default configuration of BEA WebLogic 5.1.0 allows a remote attacker to view source code of prog The default configuration of BEA WebLogic 5.1.0 allows a remote attacker to view source code of programs by requesting a URL beginning with /file/, which causes the default servlet to display the file without further processing.
nvd
CVE-2003-0624P4MEDIUMCVSS 4.3PoC≤ 8.1v3.1.82003-12-01
CVE-2003-0624 [MEDIUM] CWE-79 CVE-2003-0624: Cross-site scripting (XSS) vulnerability in InteractiveQuery.jsp for BEA WebLogic 8.1 and earlier al Cross-site scripting (XSS) vulnerability in InteractiveQuery.jsp for BEA WebLogic 8.1 and earlier allows remote attackers to inject malicious web script via the person parameter.
nvd
CVE-2007-0417P3CRITICALCVSS 10.0≤ 7.0v7.0+3 more2007-01-23
CVE-2007-0417 [CRITICAL] CVE-2007-0417: BEA WebLogic Server 7.0 through 7.0 SP7, 8.1 through 8.1 SP5, 9.0, and 9.1, when using the WebLogic BEA WebLogic Server 7.0 through 7.0 SP7, 8.1 through 8.1 SP5, 9.0, and 9.1, when using the WebLogic Server 6.1 compatibility realm, allows attackers to execute certain EJB container persistence operations with an administrative identity.
nvd
CVE-2008-0895P3MEDIUMCVSS 6.4v6.1v7.0+5 more2008-02-22
CVE-2008-0895 [MEDIUM] CWE-287 CVE-2008-0895: BEA WebLogic Server and WebLogic Express 6.1 through 10.0 allows remote attackers to bypass authenti BEA WebLogic Server and WebLogic Express 6.1 through 10.0 allows remote attackers to bypass authentication for application servlets via crafted request headers.
nvd
CVE-2007-0416P3HIGHCVSS 7.5v9.0v9.12007-01-23
CVE-2007-0416 [HIGH] CVE-2007-0416: The WSEE runtime (WS-Security runtime) in BEA WebLogic Server 9.0 and 9.1 does not verify credential The WSEE runtime (WS-Security runtime) in BEA WebLogic Server 9.0 and 9.1 does not verify credentials when decrypting client messages, which allows remote attackers to bypass application security.
nvd
CVE-2003-0151P4HIGHCVSS 7.5v6.0v6.1+2 more2003-03-24
CVE-2003-0151 [HIGH] CVE-2003-0151: BEA WebLogic Server and Express 6.0 through 7.0 does not properly restrict access to certain interna BEA WebLogic Server and Express 6.0 through 7.0 does not properly restrict access to certain internal servlets that perform administrative functions, which allows remote attackers to read arbitrary files or execute arbitrary code.
nvd
CVE-2008-0897P4HIGHCVSS 7.9v9.0v9.1+2 more2008-02-22
CVE-2008-0897 [HIGH] CWE-264 CVE-2008-0897: Unspecified vulnerability in BEA WebLogic Server 9.0 through 10.0 allows remote authenticated users Unspecified vulnerability in BEA WebLogic Server 9.0 through 10.0 allows remote authenticated users without "receive" permissions to bypass intended access restrictions and receive messages from a standalone JMS Topic or secured Distributed Topic member destination, related to durable subscriptions.
nvd
CVE-2005-4757P4HIGHCVSS 7.5v7.0v8.12005-12-31
CVE-2005-4757 [HIGH] CVE-2005-4757: BEA WebLogic Server and WebLogic Express 8.1 SP3 and earlier, and 7.0 SP5 and earlier, do not proper BEA WebLogic Server and WebLogic Express 8.1 SP3 and earlier, and 7.0 SP5 and earlier, do not properly "constrain" a "/" (slash) servlet root URL pattern, which might allow remote attackers to bypass intended servlet protections.
nvd
CVE-2007-0425P4HIGHCVSS 7.5≤ 8.1v8.12007-01-23
CVE-2007-0425 [HIGH] CVE-2007-0425: Unspecified vulnerability in BEA WebLogic Platform and Server 8.1 through 8.1 SP5, and JRockit 1.4.2 Unspecified vulnerability in BEA WebLogic Platform and Server 8.1 through 8.1 SP5, and JRockit 1.4.2 R4.5 and earlier, allows attackers to gain privileges via unspecified vectors, related to an "overflow condition," probably a buffer overflow.
nvd
Bea Weblogic Server vulnerabilities | cvebase