Application Server
CVEs (200)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2004-1368 | 0.00 | — | 0.06 | Aug 4, 2004 | ISQL*Plus in Oracle 10g Application Server allows remote attackers to execute arbitrary files via an absolute pathname in the file parameter to the load.uix script. | |||
| CVE-2004-1369 | 0.00 | — | 0.06 | Aug 4, 2004 | The TNS Listener in Oracle 10g allows remote attackers to cause a denial of service (listener crash) via a malformed service_register_NSGR request containing a value that is used as an invalid offset for a pointer that references incorrect memory. | |||
| CVE-2004-1370 | 0.00 | — | 0.04 | Aug 4, 2004 | Multiple SQL injection vulnerabilities in PL/SQL procedures that run with definer rights in Oracle 9i and 10g allow remote attackers to execute arbitrary SQL commands and gain privileges via (1) DBMS_EXPORT_EXTENSION, (2) WK_ACL.GET_ACL, (3) WK_ACL.STORE_ACL, (4)… | |||
| CVE-2004-1877 | 0.00 | — | 0.03 | Mar 30, 2004 | The p_submit_url value in the sample login form in the Oracle 9i Application Server (9iAS) Single Sign-on Administrators Guide, Release 2(9.0.2) for Oracle SSO allows remote attackers to spoof the login page, which could allow users to inadvertently reveal their username and… | |||
| CVE-2002-1635 | 0.00 | — | 0.04 | Dec 31, 2002 | The Apache configuration file (httpd.conf) in Oracle 9i Application Server (9iAS) uses a Location alias for /perl directory instead of a ScriptAlias, which allows remote attackers to read the source code of arbitrary CGI files via a URL containing the /perl directory instead of… | |||
| CVE-2002-1858 | 0.00 | — | 0.05 | Dec 31, 2002 | Oracle Oracle9i Application Server 1.0.2.2 and 9.0.2 through 9.0.2.0.1, when running on Windows, allows remote attackers to retrieve files in the WEB-INF directory, which contains Java class files and configuration information, via a request to the WEB-INF directory with a… | |||
| CVE-2002-1632 | 0.00 | — | 0.05 | Dec 31, 2002 | Oracle 9i Application Server (9iAS) installs multiple sample pages that allow remote attackers to obtain environment variables and other sensitive information via (1) info.jsp, (2) printenv, (3) echo, or (4) echo2. | |||
| CVE-2002-1636 | 0.00 | — | 0.02 | Dec 31, 2002 | Cross-site scripting (XSS) vulnerability in the htp PL/SQL package for Oracle 9i Application Server (9iAS) allows remote attackers to inject arbitrary web script or HTML via the cbuf parameter to htp.print. | |||
| CVE-2002-2345 | 0.00 | — | 0.01 | Dec 31, 2002 | Oracle 9i Application Server 9.0.2 stores the web cache administrator interface password in plaintext, which allows remote attackers to gain access. | |||
| CVE-2002-2347 | 0.00 | — | 0.02 | Dec 31, 2002 | Cross-site scripting (XSS) vulnerability in Oracle Java Server Page (OJSP) demo files (1) hellouser.jsp, (2) welcomeuser.jsp and (3) usebean.jsp in Oracle 9i Application Server 9.0.2, 1.0.2.2, 1.0.2.1s and 1.0.2 allows remote attackers to inject arbitrary web script or HTML via… | |||
| CVE-2002-0565 | 0.00 | — | 0.06 | Jul 3, 2002 | Oracle 9iAS 1.0.2.x compiles JSP files in the _pages directory with world-readable permissions under the web root, which allows remote attackers to obtain sensitive information derived from the JSP code, including usernames and passwords, via a direct HTTP request to _pages. | |||
| CVE-2002-0560 | 0.00 | — | 0.04 | Jul 3, 2002 | PL/SQL module 3.0.9.8.2 in Oracle 9i Application Server 1.0.2.x allows remote attackers to obtain sensitive information via the OWA_UTIL stored procedures (1) OWA_UTIL.signature, (2) OWA_UTIL.listprint, or (3) OWA_UTIL.show_query_columns. | |||
| CVE-2002-0564 | 0.00 | — | 0.05 | Jul 3, 2002 | PL/SQL module 3.0.9.8.2 in Oracle 9i Application Server 1.0.2.x allows remote attackers to bypass authentication for a Database Access Descriptor (DAD) by modifying the URL to reference an alternate DAD that already has valid credentials. | |||
| CVE-2002-0566 | 0.00 | — | 0.04 | Jul 3, 2002 | PL/SQL module 3.0.9.8.2 in Oracle 9i Application Server 1.0.2.x allows remote attackers to cause a denial of service (crash) via an HTTP Authorization header without an authentication type. | |||
| CVE-2002-1637 | 0.00 | — | 0.01 | Feb 26, 2002 | Multiple components in Oracle 9i Application Server (9iAS) are installed with over 160 default usernames and passwords, including (1) SYS, (2) SYSTEM, (3) AQJAVA, (4) OWA, (5) IMAGEUSER, (6) USER1, (7) USER2, (8) PLSQL, (9) DEMO, (10) FINANCE, and many others, which allows… | |||
| CVE-2001-1372 | 0.00 | — | 0.06 | Feb 6, 2002 | Oracle 9i Application Server 1.0.2 allows remote attackers to obtain the physical path of a file under the server root via a request for a non-existent .JSP file, which leaks the pathname in an error message. | |||
| CVE-2001-0591 | 0.00 | — | 0.04 | Aug 22, 2001 | Directory traversal vulnerability in Oracle JSP 1.0.x through 1.1.1 and Oracle 8.1.7 iAS Release 1.0.2 can allow a remote attacker to read or execute arbitrary .jsp files via a '..' (dot dot) attack. | |||
| CVE-2001-0326 | 0.00 | — | 0.05 | May 3, 2001 | Oracle Java Virtual Machine (JVM ) for Oracle 8.1.7 and Oracle Application Server 9iAS Release 1.0.2.0.1 allows remote attackers to read arbitrary files via the .jsp and .sqljsp file extensions when the server is configured to use the <> FilePermission. | |||
| CVE-2000-1236 | 0.00 | — | 0.02 | Dec 31, 2000 | SQL injection vulnerability in mod_sql in Oracle Internet Application Server (IAS) 3.0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the query string of the URL. | |||
| CVE-2000-1235 | 0.00 | — | 0.05 | Dec 31, 2000 | The default configurations of (1) the port listener and (2) modplsql in Oracle Internet Application Server (IAS) 3.0.7 and earlier allow remote attackers to view privileged database information via HTTP requests for Database Access Descriptor (DAD) files. |
- CVE-2004-1368Aug 4, 2004risk 0.00cvss —epss 0.06
ISQL*Plus in Oracle 10g Application Server allows remote attackers to execute arbitrary files via an absolute pathname in the file parameter to the load.uix script.
- CVE-2004-1369Aug 4, 2004risk 0.00cvss —epss 0.06
The TNS Listener in Oracle 10g allows remote attackers to cause a denial of service (listener crash) via a malformed service_register_NSGR request containing a value that is used as an invalid offset for a pointer that references incorrect memory.
- CVE-2004-1370Aug 4, 2004risk 0.00cvss —epss 0.04
Multiple SQL injection vulnerabilities in PL/SQL procedures that run with definer rights in Oracle 9i and 10g allow remote attackers to execute arbitrary SQL commands and gain privileges via (1) DBMS_EXPORT_EXTENSION, (2) WK_ACL.GET_ACL, (3) WK_ACL.STORE_ACL, (4)…
- CVE-2004-1877Mar 30, 2004risk 0.00cvss —epss 0.03
The p_submit_url value in the sample login form in the Oracle 9i Application Server (9iAS) Single Sign-on Administrators Guide, Release 2(9.0.2) for Oracle SSO allows remote attackers to spoof the login page, which could allow users to inadvertently reveal their username and…
- CVE-2002-1635Dec 31, 2002risk 0.00cvss —epss 0.04
The Apache configuration file (httpd.conf) in Oracle 9i Application Server (9iAS) uses a Location alias for /perl directory instead of a ScriptAlias, which allows remote attackers to read the source code of arbitrary CGI files via a URL containing the /perl directory instead of…
- CVE-2002-1858Dec 31, 2002risk 0.00cvss —epss 0.05
Oracle Oracle9i Application Server 1.0.2.2 and 9.0.2 through 9.0.2.0.1, when running on Windows, allows remote attackers to retrieve files in the WEB-INF directory, which contains Java class files and configuration information, via a request to the WEB-INF directory with a…
- CVE-2002-1632Dec 31, 2002risk 0.00cvss —epss 0.05
Oracle 9i Application Server (9iAS) installs multiple sample pages that allow remote attackers to obtain environment variables and other sensitive information via (1) info.jsp, (2) printenv, (3) echo, or (4) echo2.
- CVE-2002-1636Dec 31, 2002risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the htp PL/SQL package for Oracle 9i Application Server (9iAS) allows remote attackers to inject arbitrary web script or HTML via the cbuf parameter to htp.print.
- CVE-2002-2345Dec 31, 2002risk 0.00cvss —epss 0.01
Oracle 9i Application Server 9.0.2 stores the web cache administrator interface password in plaintext, which allows remote attackers to gain access.
- CVE-2002-2347Dec 31, 2002risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in Oracle Java Server Page (OJSP) demo files (1) hellouser.jsp, (2) welcomeuser.jsp and (3) usebean.jsp in Oracle 9i Application Server 9.0.2, 1.0.2.2, 1.0.2.1s and 1.0.2 allows remote attackers to inject arbitrary web script or HTML via…
- CVE-2002-0565Jul 3, 2002risk 0.00cvss —epss 0.06
Oracle 9iAS 1.0.2.x compiles JSP files in the _pages directory with world-readable permissions under the web root, which allows remote attackers to obtain sensitive information derived from the JSP code, including usernames and passwords, via a direct HTTP request to _pages.
- CVE-2002-0560Jul 3, 2002risk 0.00cvss —epss 0.04
PL/SQL module 3.0.9.8.2 in Oracle 9i Application Server 1.0.2.x allows remote attackers to obtain sensitive information via the OWA_UTIL stored procedures (1) OWA_UTIL.signature, (2) OWA_UTIL.listprint, or (3) OWA_UTIL.show_query_columns.
- CVE-2002-0564Jul 3, 2002risk 0.00cvss —epss 0.05
PL/SQL module 3.0.9.8.2 in Oracle 9i Application Server 1.0.2.x allows remote attackers to bypass authentication for a Database Access Descriptor (DAD) by modifying the URL to reference an alternate DAD that already has valid credentials.
- CVE-2002-0566Jul 3, 2002risk 0.00cvss —epss 0.04
PL/SQL module 3.0.9.8.2 in Oracle 9i Application Server 1.0.2.x allows remote attackers to cause a denial of service (crash) via an HTTP Authorization header without an authentication type.
- CVE-2002-1637Feb 26, 2002risk 0.00cvss —epss 0.01
Multiple components in Oracle 9i Application Server (9iAS) are installed with over 160 default usernames and passwords, including (1) SYS, (2) SYSTEM, (3) AQJAVA, (4) OWA, (5) IMAGEUSER, (6) USER1, (7) USER2, (8) PLSQL, (9) DEMO, (10) FINANCE, and many others, which allows…
- CVE-2001-1372Feb 6, 2002risk 0.00cvss —epss 0.06
Oracle 9i Application Server 1.0.2 allows remote attackers to obtain the physical path of a file under the server root via a request for a non-existent .JSP file, which leaks the pathname in an error message.
- CVE-2001-0591Aug 22, 2001risk 0.00cvss —epss 0.04
Directory traversal vulnerability in Oracle JSP 1.0.x through 1.1.1 and Oracle 8.1.7 iAS Release 1.0.2 can allow a remote attacker to read or execute arbitrary .jsp files via a '..' (dot dot) attack.
- CVE-2001-0326May 3, 2001risk 0.00cvss —epss 0.05
Oracle Java Virtual Machine (JVM ) for Oracle 8.1.7 and Oracle Application Server 9iAS Release 1.0.2.0.1 allows remote attackers to read arbitrary files via the .jsp and .sqljsp file extensions when the server is configured to use the <> FilePermission.
- CVE-2000-1236Dec 31, 2000risk 0.00cvss —epss 0.02
SQL injection vulnerability in mod_sql in Oracle Internet Application Server (IAS) 3.0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the query string of the URL.
- CVE-2000-1235Dec 31, 2000risk 0.00cvss —epss 0.05
The default configurations of (1) the port listener and (2) modplsql in Oracle Internet Application Server (IAS) 3.0.7 and earlier allow remote attackers to view privileged database information via HTTP requests for Database Access Descriptor (DAD) files.
Page 10 of 10