Total
150 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2007-0409 | 1 Bea | 1 Weblogic Server | 2023-12-10 | 1.5 LOW | N/A |
BEA WebLogic 7.0 through 7.0 SP6, 8.1 through 8.1 SP4, and 9.0 initial release does not encrypt passwords stored in the JDBCDataSourceFactory MBean Properties, which allows local administrative users to read the cleartext password. | |||||
CVE-2007-2699 | 1 Bea | 1 Weblogic Server | 2023-12-10 | 7.1 HIGH | N/A |
The Administration Console in BEA WebLogic Express and WebLogic Server 9.0 and 9.1 does not properly enforce certain Domain Security Policies, which allows remote administrative users in the Deployer role to upload arbitrary files. | |||||
CVE-2007-0418 | 1 Bea | 1 Weblogic Server | 2023-12-10 | 7.5 HIGH | N/A |
BEA WebLogic Server 7.0 through 7.0 SP6, 8.1 through 8.1 SP5, 9.0, and 9.1 does not enforce a security policy that declares permissions for EJB methods that have array parameters, which allows remote attackers to obtain unauthorized access to these methods. | |||||
CVE-2007-0415 | 1 Bea | 1 Weblogic Server | 2023-12-10 | 5.0 MEDIUM | N/A |
BEA WebLogic Server 8.1 through 8.1 SP5 does not properly enforce access control after a dynamic update and dynamic redeployment of an application that is implemented through exploded jars, which allows attackers to bypass intended access restrictions. | |||||
CVE-2007-2696 | 1 Bea | 1 Weblogic Server | 2023-12-10 | 6.8 MEDIUM | N/A |
The JMS Server in BEA WebLogic Server 6.1 through SP7, 7.0 through SP6, and 8.1 through SP5 enforces security access policies on the front end, which allows remote attackers to access protected queues via direct requests to the JMS back-end server. | |||||
CVE-2007-0412 | 1 Bea | 1 Weblogic Server | 2023-12-10 | 5.0 MEDIUM | N/A |
BEA WebLogic Server 6.1 through 6.1 SP7, 7.0 through 7.0 SP7, and 8.1 through 8.1 SP5 allows remote attackers to read arbitrary files inside the class-path property via .ear or exploded .ear files that use the manifest class-path property to point to utility jar files. | |||||
CVE-2005-4763 | 1 Bea | 1 Weblogic Server | 2023-12-10 | 7.5 HIGH | N/A |
BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, 7.0 SP6 and earlier, and 6.1 SP7 and earlier, when Internet Inter-ORB Protocol (IIOP) is used, sometimes include a password in an exception message that is sent to a client or stored in a log file, which might allow remote attackers to perform unauthorized actions. | |||||
CVE-2006-0422 | 1 Bea | 1 Weblogic Server | 2023-12-10 | 6.4 MEDIUM | N/A |
Multiple unspecified vulnerabilities in BEA WebLogic Server and WebLogic Express 8.1 through SP4, 7.0 through SP6, and 6.1 through SP7 allow remote attackers to access MBean attributes or cause an unspecified denial of service via unknown attack vectors. | |||||
CVE-2005-1380 | 1 Bea | 1 Weblogic Server | 2023-12-10 | 6.8 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in BEA Admin Console 8.1 allows remote attackers to execute arbitrary web script or HTML via the server parameter to a JndiFramesetAction action. | |||||
CVE-2005-4755 | 1 Bea | 1 Weblogic Server | 2023-12-10 | 2.1 LOW | N/A |
BEA WebLogic Server and WebLogic Express 8.1 SP3 and earlier (1) stores the private key passphrase (CustomTrustKeyStorePassPhrase) in cleartext in nodemanager.config; or, during domain creation with the Configuration Wizard, renders an SSL private key passphrase in cleartext (2) on a terminal or (3) in a log file, which might allow local users to obtain cryptographic keys. | |||||
CVE-2005-4761 | 1 Bea | 1 Weblogic Server | 2023-12-10 | 1.2 LOW | N/A |
BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, 7.0 SP5 and earlier, and 6.1 SP7 and earlier log the Java command line at server startup, which might include sensitive information (passwords or keyphrases) in the server log file when the -D option is used. | |||||
CVE-2005-4765 | 1 Bea | 1 Weblogic Server | 2023-12-10 | 7.6 HIGH | N/A |
BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier and 7.0 SP6 and earlier, when using the weblogic.Deployer command with the t3 protocol, does not use the secure t3s protocol even when an Administration port is enabled on the Administration server, which might allow remote attackers to sniff the connection. | |||||
CVE-2006-1352 | 1 Bea | 1 Weblogic Server | 2023-12-10 | 5.0 MEDIUM | N/A |
BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, 7.0 SP6 and earlier, and WebLogic Server 6.1 SP7 and earlier allow remote attackers to cause a denial of service (memory exhaustion) via crafted non-canonicalized XML documents. | |||||
CVE-2005-0432 | 1 Bea | 1 Weblogic Server | 2023-12-10 | 5.0 MEDIUM | N/A |
BEA WebLogic Server 7.0 Service Pack 5 and earlier, and 8.1 Service Pack 3 and earlier, generates different login exceptions that suggest why an authentication attempt fails, which makes it easier for remote attackers to guess passwords via brute force attacks. | |||||
CVE-2005-4762 | 1 Bea | 1 Weblogic Server | 2023-12-10 | 7.2 HIGH | N/A |
BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, 7.0 SP6 and earlier, and 6.1 SP7 and earlier sometimes stores the boot password in the registry in cleartext, which might allow local users to gain administrative privileges. | |||||
CVE-2005-4758 | 1 Bea | 1 Weblogic Server | 2023-12-10 | 4.0 MEDIUM | N/A |
Unspecified vulnerability in the Administration server in BEA WebLogic Server and WebLogic Express 8.1 SP3 and earlier allows remote authenticated Admin users to read arbitrary files via unknown attack vectors related to an "internal servlet" accessed through HTTP. | |||||
CVE-2005-4760 | 1 Bea | 1 Weblogic Server | 2023-12-10 | 5.1 MEDIUM | N/A |
BEA WebLogic Server and WebLogic Express 8.1 SP3 and earlier, and 7.0 SP5 and earlier, when fullyDelegatedAuthorization is enabled for a servlet, does not cause servlet deployment to fail when failures occur in authorization or role providers, which might prevent the servlet from being "fully protected." | |||||
CVE-2005-4764 | 1 Bea | 1 Weblogic Server | 2023-12-10 | 7.8 HIGH | N/A |
BEA WebLogic Server and WebLogic Express 9.0, 8.1, and 7.0 lock out the admin user account after multiple incorrect password guesses, which allows remote attackers who know or guess the admin account name to cause a denial of service (blocked admin logins). | |||||
CVE-2005-4766 | 1 Bea | 1 Weblogic Server | 2023-12-10 | 5.4 MEDIUM | N/A |
BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, and 7.0 SP5 and earlier, do not encrypt multicast traffic, which might allow remote attackers to read sensitive cluster synchronization messages by sniffing the multicast traffic. | |||||
CVE-2005-1747 | 2 Bea, Oracle | 2 Weblogic Server, Weblogic Portal | 2023-12-10 | 6.8 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in BEA WebLogic Server and Express 8.1 through Service Pack 4, and 7.0 through Service Pack 6, allow remote attackers to inject arbitrary web script or HTML, and possibly gain administrative privileges, via the (1) j_username or (2) j_password parameters in the login page (LoginForm.jsp), (3) parameters to the error page in the Administration Console, (4) unknown vectors in the Server Console while the administrator has an active session to obtain the ADMINCONSOLESESSION cookie, or (5) an alternate vector in the Server Console that does not require an active session but also leaks the username and password. |