VYPR

Application Server Portal

by Oracle Corporation

CVEs (29)

  • CVE-2002-0568Jul 3, 2002
    risk 0.06cvss epss 0.75

    Oracle 9i Application Server stores XSQL and SOAP configuration files insecurely, which allows local users to obtain sensitive information including usernames and passwords by requesting (1) XSQLConfig.xml or (2) soapConfig.xml through a virtual directory.

  • CVE-2008-2138May 12, 2008
    risk 0.04cvss epss 0.16

    Oracle Application Server (OracleAS) Portal 10g allows remote attackers to bypass intended access restrictions and read the contents of /dav_portal/portal/ by sending a request containing a trailing "%0A" (encoded line feed), then using the session ID that is generated from that…

  • CVE-2006-6697Dec 22, 2006
    risk 0.04cvss epss 0.10

    CRLF injection vulnerability in webapp/jsp/calendar.jsp in Oracle Portal 10g and earlier, including 9.0.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the enc parameter.

  • CVE-2002-0563Jul 3, 2002
    risk 0.04cvss epss 0.51

    The default configuration of Oracle 9i Application Server 1.0.2.x allows remote anonymous users to access sensitive services without authentication, including Dynamic Monitoring Services (1) dms0, (2) dms/DMSDump, (3) servlet/DMSDump, (4) servlet/Spy, (5) soap/servlet/Spy, and…

  • CVE-2001-1217Dec 21, 2001
    risk 0.04cvss epss 0.54

    Directory traversal vulnerability in PL/SQL Apache module in Oracle Oracle 9i Application Server allows remote attackers to access sensitive information via a double encoded URL with .. (dot dot) sequences.

  • CVE-2007-1506Mar 19, 2007
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in PORTAL.wwv_main.render_warning_screen in the Oracle Portal 10g allows remote attackers to inject arbitrary web script or HTML via the (1) p_oldurl and (2) p_newurl parameters.

  • CVE-2004-1707Jul 30, 2004
    risk 0.03cvss epss 0.03

    The (1) dbsnmp and (2) nmo programs in Oracle 8i, Oracle 9i, and Oracle IAS 9.0.2.0.1, on Unix systems, use a default path to find and execute library files while operating at raised privileges, which allows certain Oracle user accounts to gain root privileges via a modified…

  • CVE-2002-0569Jul 3, 2002
    risk 0.02cvss epss 0.19

    Oracle 9i Application Server allows remote attackers to bypass access restrictions for configuration files via a direct request to the XSQL Servlet (XSQLServlet).

  • CVE-2002-0842Mar 3, 2003
    risk 0.01cvss epss 0.15

    Format string vulnerability in certain third party modifications to mod_dav for logging bad gateway messages (e.g. Oracle9i Application Server 9.0.2) allows remote attackers to execute arbitrary code via a destination URI that forces a "502 Bad Gateway" response, which causes…

  • CVE-2002-1631Dec 31, 2002
    risk 0.01cvss epss 0.08

    SQL injection vulnerability in the query.xsql sample page in Oracle 9i Application Server (9iAS) allows remote attackers to execute arbitrary code via the sql parameter.

  • CVE-2002-1630Dec 31, 2002
    risk 0.01cvss epss 0.07

    The sendmail.jsp sample page in Oracle 9i Application Server (9iAS) allows remote attackers to send arbitrary emails.

  • CVE-2002-0559Jul 3, 2002
    risk 0.01cvss epss 0.13

    Buffer overflows in PL/SQL module 3.0.9.8.2 in Oracle 9i Application Server 1.0.2.x allow remote attackers to cause a denial of service or execute arbitrary code via (1) a long help page request without a dadname, which overflows the resulting HTTP Location header, (2) a long…

  • CVE-2002-0561Jul 3, 2002
    risk 0.01cvss epss 0.10

    The default configuration of the PL/SQL Gateway web administration interface in Oracle 9i Application Server 1.0.2.x uses null authentication, which allows remote attackers to gain privileges and modify DAD settings.

  • CVE-2002-0562Jul 3, 2002
    risk 0.01cvss epss 0.07

    The default configuration of Oracle 9i Application Server 1.0.2.x running Oracle JSP or SQLJSP stores globals.jsa under the web root, which allows remote attackers to gain sensitive information including usernames and passwords via a direct HTTP request to globals.jsa.

  • CVE-2001-1371Feb 6, 2002
    risk 0.01cvss epss 0.12

    The default configuration of Oracle Application Server 9iAS 1.0.2.2 enables SOAP and allows anonymous users to deploy applications by default via urn:soap-service-manager and urn:soap-provider-manager.

  • CVE-2001-1216Dec 21, 2001
    risk 0.01cvss epss 0.09

    Buffer overflow in PL/SQL Apache module in Oracle 9i Application Server allows remote attackers to execute arbitrary code via a long request for a help page.

  • CVE-2008-1825Apr 16, 2008
    risk 0.00cvss epss 0.02

    Unspecified vulnerability in the Oracle Portal component in Oracle Application Server 9.0.4.3 has unknown impact and remote attack vectors, aka AS03.

  • CVE-2008-0347Jan 17, 2008
    risk 0.00cvss epss 0.03

    Unspecified vulnerability in the Oracle Ultra Search component in Oracle Collaboration Suite 10.1.2; Database 9.2.0.8, 10.1.0.5, and 10.2.0.3; and Application Server 9.0.4.3 and 10.1.2.0.2; has unknown impact and local attack vectors, aka OCS01. NOTE: Oracle has not disputed a…

  • CVE-2007-2123Apr 18, 2007
    risk 0.00cvss epss 0.02

    Unspecified vulnerability in the Portal component in Oracle Application Server 10.1.3 up to 10.1.3.2.0, 10.1.2 up to 10.1.2.2.0, and 9.0.4.3 has unknown impact and attack vectors, aka AS04.

  • CVE-2006-6699Dec 23, 2006
    risk 0.00cvss epss 0.01

    Multiple CRLF injection vulnerabilities in Oracle Portal 9.0.2 and possibly other versions allow remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the enc parameter to (1) calendarDialog.jsp or (2) fred.jsp. …

Page 1 of 2