cbcvebase.

Bea Weblogic Server vulnerabilities

146 known vulnerabilities affecting bea/weblogic_server.

Total CVEs
146
CISA KEV
0
Public exploits
12
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH31MEDIUM92LOW16

Vulnerabilities

Page 6 of 8
CVE-2003-1223P4MEDIUMCVSS 5.0v6.1v7.0+2 more2003-12-31
CVE-2003-1223 [MEDIUM] CVE-2003-1223: The Node Manager for BEA WebLogic Express and Server 6.1 through 8.1 SP 1 allows remote attackers to The Node Manager for BEA WebLogic Express and Server 6.1 through 8.1 SP 1 allows remote attackers to cause a denial of service (Node Manager crash) via malformed data to the Node Manager's port, as demonstrated by nmap.
nvd
CVE-2003-0622P4MEDIUMCVSS 5.0v4.2v5.0.1+1 more2003-12-01
CVE-2003-0622 [MEDIUM] CVE-2003-0622: The Administration Console for BEA Tuxedo 8.1 and earlier allows remote attackers to cause a denial The Administration Console for BEA Tuxedo 8.1 and earlier allows remote attackers to cause a denial of service (hang) via pathname arguments that contain MS-DOS device names such as CON and AUX.
nvd
CVE-2007-2694P4MEDIUMCVSS 4.3v6.1v7.0+3 more2007-05-16
CVE-2007-2694 [MEDIUM] CVE-2007-2694: Multiple cross-site scripting (XSS) vulnerabilities in BEA WebLogic Express and WebLogic Server 6.1 Multiple cross-site scripting (XSS) vulnerabilities in BEA WebLogic Express and WebLogic Server 6.1 through SP7, 7.0 through SP7, 8.1 through SP5, 9.0 GA, and 9.1 GA allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
nvd
CVE-2005-2092P4MEDIUMCVSS 4.3v8.12005-07-05
CVE-2005-2092 [MEDIUM] CVE-2005-2092: BEA Systems WebLogic 8.1 SP1 allows remote attackers to poison the web cache, bypass web application BEA Systems WebLogic 8.1 SP1 allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes WebLogic to incorrectly handle and forward the body of the request in a way that causes the receiving ser
nvd
CVE-2000-0682P4MEDIUMCVSS 5.0v5.12000-10-20
CVE-2000-0682 [MEDIUM] CVE-2000-0682: BEA WebLogic 5.1.x allows remote attackers to read source code for parsed pages by inserting /Consol BEA WebLogic 5.1.x allows remote attackers to read source code for parsed pages by inserting /ConsoleHelp/ into the URL, which invokes the FileServlet.
nvd
CVE-2000-0683P4MEDIUMCVSS 5.0v5.12000-10-20
CVE-2000-0683 [MEDIUM] CVE-2000-0683: BEA WebLogic 5.1.x allows remote attackers to read source code for parsed pages by inserting /*.shtm BEA WebLogic 5.1.x allows remote attackers to read source code for parsed pages by inserting /*.shtml/ into the URL, which invokes the SSIServlet.
nvd
CVE-2003-1222P4MEDIUMCVSS 5.0v8.12003-12-31
CVE-2003-1222 [MEDIUM] CVE-2003-1222: BEA Weblogic Express and Server 8.0 through 8.1 SP 1, when using a foreign Java Message Service (JMS BEA Weblogic Express and Server 8.0 through 8.1 SP 1, when using a foreign Java Message Service (JMS) provider, echoes the password for the foreign provider to the console and stores it in cleartext in config.xml, which could allow attackers to obtain the password.
nvd
CVE-2005-4759P4MEDIUMCVSS 5.0v7.0v8.12005-12-31
CVE-2005-4759 [MEDIUM] CVE-2005-4759: BEA WebLogic Server and WebLogic Express 8.1 and 7.0, during a migration across operating system pla BEA WebLogic Server and WebLogic Express 8.1 and 7.0, during a migration across operating system platforms, do not warn the administrative user about platform differences in URLResource case sensitivity, which might cause local users to inadvertently lose protection of Web Application pages.
nvd
CVE-2003-1220P4MEDIUMCVSS 5.0v6.1v7.0+2 more2003-12-31
CVE-2003-1220 [MEDIUM] CVE-2003-1220: BEA WebLogic Server proxy plugin for BEA Weblogic Express and Server 6.1 through 8.1 SP 1 allows rem BEA WebLogic Server proxy plugin for BEA Weblogic Express and Server 6.1 through 8.1 SP 1 allows remote attackers to cause a denial of service (proxy plugin crash) via a malformed URL.
nvd
CVE-2003-1221P4MEDIUMCVSS 5.0v7.0v7.0.0.1+1 more2003-12-31
CVE-2003-1221 [MEDIUM] CVE-2003-1221: BEA WebLogic Express and Server 7.0 through 8.1 SP 1, under certain circumstances when a request to BEA WebLogic Express and Server 7.0 through 8.1 SP 1, under certain circumstances when a request to use T3 over SSL (t3s) is made to the insecure T3 port, may use a non-SSL connection for the communication, which could allow attackers to sniff sessions.
nvd
CVE-2005-1745P4MEDIUMCVSS 4.6v6.0v6.1+3 more2005-05-24
CVE-2005-1745 [MEDIUM] CVE-2005-1745: The UserLogin control in BEA WebLogic Portal 8.1 through Service Pack 3 prints the password to stand The UserLogin control in BEA WebLogic Portal 8.1 through Service Pack 3 prints the password to standard output when an incorrect login attempt is made, which could make it easier for attackers to guess the correct password.
nvd
CVE-2003-0623P4MEDIUMCVSS 4.3v4.2v5.0.1+1 more2003-12-01
CVE-2003-0623 [MEDIUM] CVE-2003-0623: Cross-site scripting (XSS) vulnerability in the Administration Console for BEA Tuxedo 8.1 and earlie Cross-site scripting (XSS) vulnerability in the Administration Console for BEA Tuxedo 8.1 and earlier allows remote attackers to inject arbitrary web script via the INIFILE argument.
nvd
CVE-2006-0421P4MEDIUMCVSS 4.6v6.1v7.02006-01-25
CVE-2006-0421 [MEDIUM] CVE-2006-0421: By design, BEA WebLogic Server and WebLogic Express 7.0 and 6.1, when creating multiple domains from By design, BEA WebLogic Server and WebLogic Express 7.0 and 6.1, when creating multiple domains from the same WebLogic instance on the same machine, allows administrators of any created domain to access other created domains, which could allow administrators to gain privileges that were not intended.
nvd
CVE-2004-1758P4MEDIUMCVSS 4.6v6.1v7.0+1 more2004-04-13
CVE-2004-1758 [MEDIUM] CVE-2004-1758: BEA WebLogic Server and WebLogic Express version 8.1 up to SP2, 7.0 up to SP4, and 6.1 up to SP6 may BEA WebLogic Server and WebLogic Express version 8.1 up to SP2, 7.0 up to SP4, and 6.1 up to SP6 may store the database username and password for an untargeted JDBC connection pool in plaintext in config.xml, which allows local users to gain privileges.
nvd
CVE-2005-4752P4MEDIUMCVSS 4.6v7.0v8.12005-12-31
CVE-2005-4752 [MEDIUM] CVE-2005-4752: BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, and 7.0 SP6 and earlier, might allow l BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, and 7.0 SP6 and earlier, might allow local users to gain privileges by using the run-as deployment descriptor element to change the privileges of a web application or EJB from the Deployer security role to the Admin security role.
nvd
CVE-2008-0869P4MEDIUMCVSS 4.3v9.0v9.1+1 more2008-02-21
CVE-2008-0869 [MEDIUM] CWE-79 CVE-2008-0869: Cross-site scripting (XSS) vulnerability in BEA WebLogic Workshop 8.1 through SP6 and Workshop for W Cross-site scripting (XSS) vulnerability in BEA WebLogic Workshop 8.1 through SP6 and Workshop for WebLogic 9.0 through 10.0 allows remote attackers to inject arbitrary web script or HTML via a "framework defined request parameter" when using WebLogic Workshop or Apache Beehive NetUI framework with page flows.
nvd
CVE-2008-0899P4MEDIUMCVSS 4.3v9.0v9.1+2 more2008-02-22
CVE-2008-0899 [MEDIUM] CWE-79 CVE-2008-0899: Cross-site scripting (XSS) vulnerability in the Administration Console in BEA WebLogic Server and Ex Cross-site scripting (XSS) vulnerability in the Administration Console in BEA WebLogic Server and Express 9.0 through 10.0 allows remote attackers to inject arbitrary web script or HTML via URLs that are not properly handled by the Unexpected Exception Page.
nvd
CVE-2008-0902P4MEDIUMCVSS 4.3v6.1v7.0+4 more2008-02-22
CVE-2008-0902 [MEDIUM] CVE-2008-0902: Multiple cross-site scripting (XSS) vulnerabilities in BEA WebLogic Server and Express 6.1 through 1 Multiple cross-site scripting (XSS) vulnerabilities in BEA WebLogic Server and Express 6.1 through 10.0 MP1 allow remote attackers to inject arbitrary web script or HTML via unspecified samples. NOTE: this might be the same issue as CVE-2007-2694.
nvd
CVE-2007-2700P4MEDIUMCVSS 4.0v9.0v9.12007-05-16
CVE-2007-2700 [MEDIUM] CVE-2007-2700: The WLST script generated by the configToScript command in BEA WebLogic Express and WebLogic Server The WLST script generated by the configToScript command in BEA WebLogic Express and WebLogic Server 9.0 and 9.1 does not encrypt certain attributes in configuration files when creating a new domain, which allows remote authenticated users to obtain sensitive information.
nvd
CVE-2006-0424P4MEDIUMCVSS 4.0v6.1v7.0+1 more2006-01-25
CVE-2006-0424 [MEDIUM] CVE-2006-0424: BEA WebLogic Server and WebLogic Express 8.1 through SP4, 7.0 through SP6, and 6.1 through SP7 allow BEA WebLogic Server and WebLogic Express 8.1 through SP4, 7.0 through SP6, and 6.1 through SP7 allows remote authenticated guest users to read the server log and obtain sensitive configuration information.
nvd
Bea Weblogic Server vulnerabilities | cvebase