Weblogic Server
Sign in to watchby Bea
CVEs (150)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2005-1744 | Cri | 0.64 | 9.8 | 0.01 | May 24, 2005 | BEA WebLogic Server and WebLogic Express 7.0 through Service Pack 5 does not log out users when an application is redeployed, which allows those users to continue to access the application without having to log in again, which may be in violation of newly changed security constraints or role mappings. | |
| CVE-2000-0499 | Hig | 0.49 | 7.5 | 0.01 | Jun 8, 2000 | The default configuration of BEA WebLogic 3.1.8 through 4.5.1 allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case. | |
| CVE-2008-3257 | 0.09 | — | 0.81 | Jul 22, 2008 | Stack-based buffer overflow in the Apache Connector (mod_wl) in Oracle WebLogic Server (formerly BEA WebLogic Server) 10.3 and earlier allows remote attackers to execute arbitrary code via a long HTTP version string, as demonstrated by a string after "POST /.jsp" in an HTTP request. | ||
| CVE-2004-0204 | 0.09 | — | 0.75 | Aug 6, 2004 | Directory traversal vulnerability in the web viewers for Business Objects Crystal Reports 9 and 10, and Crystal Enterprise 9 or 10, as used in Visual Studio .NET 2003 and Outlook 2003 with Business Contact Manager, Microsoft Business Solutions CRM 1.2, and other products, allows remote attackers to read and delete arbitrary files via ".." sequences in the dynamicimag argument to crystalimagehandler.aspx. | ||
| CVE-2001-0098 | 0.05 | — | 0.21 | Feb 12, 2001 | Buffer overflow in Bea WebLogic Server before 5.1.0 allows remote attackers to execute arbitrary commands via a long URL that begins with a ".." string. | ||
| CVE-2010-2375 | 0.04 | — | 0.16 | Jul 13, 2010 | Package/Privilege: Plugins for Apache, Sun and IIS web servers Unspecified vulnerability in the WebLogic Server component in Oracle Fusion Middleware 7.0 SP7, 8.1 SP6, 9.0, 9.1, 9.2 MP3, 10.0 MP2, 10.3.2, and 10.3.3 allows remote attackers to affect confidentiality and integrity, related to IIS. | ||
| CVE-2003-0621 | 0.04 | — | 0.07 | Dec 1, 2003 | The Administration Console for BEA Tuxedo 8.1 and earlier allows remote attackers to determine the existence of files outside the web root via modified paths in the INIFILE argument. | ||
| CVE-2000-0500 | 0.04 | — | 0.07 | Jun 21, 2000 | The default configuration of BEA WebLogic 5.1.0 allows a remote attacker to view source code of programs by requesting a URL beginning with /file/, which causes the default servlet to display the file without further processing. | ||
| CVE-2005-1380 | 0.03 | — | 0.01 | May 3, 2005 | Cross-site scripting (XSS) vulnerability in BEA Admin Console 8.1 allows remote attackers to execute arbitrary web script or HTML via the server parameter to a JndiFramesetAction action. | ||
| CVE-2003-0624 | 0.03 | — | 0.03 | Dec 1, 2003 | Cross-site scripting (XSS) vulnerability in InteractiveQuery.jsp for BEA WebLogic 8.1 and earlier allows remote attackers to inject malicious web script via the person parameter. | ||
| CVE-2002-0106 | 0.03 | — | 0.06 | Mar 25, 2002 | BEA Systems Weblogic Server 6.1 allows remote attackers to cause a denial of service via a series of requests to .JSP files that contain an MS-DOS device name. | ||
| CVE-2000-0684 | 0.03 | — | 0.05 | Oct 20, 2000 | BEA WebLogic 5.1.x does not properly restrict access to the JSPServlet, which could allow remote attackers to compile and execute Java JSP code by directly invoking the servlet on any source file. | ||
| CVE-2000-0685 | 0.03 | — | 0.05 | Oct 20, 2000 | BEA WebLogic 5.1.x does not properly restrict access to the PageCompileServlet, which could allow remote attackers to compile and execute Java JHTML code by directly invoking the servlet on any source file. | ||
| CVE-2000-0681 | 0.01 | — | 0.15 | Oct 20, 2000 | Buffer overflow in BEA WebLogic server proxy plugin allows remote attackers to execute arbitrary commands via a long URL with a .JSP extension. | ||
| CVE-2008-0899 | 0.00 | — | 0.00 | Feb 22, 2008 | Cross-site scripting (XSS) vulnerability in the Administration Console in BEA WebLogic Server and Express 9.0 through 10.0 allows remote attackers to inject arbitrary web script or HTML via URLs that are not properly handled by the Unexpected Exception Page. | ||
| CVE-2008-0903 | 0.00 | — | 0.01 | Feb 22, 2008 | Unspecified vulnerability in the BEA WebLogic Server and Express proxy plugin, as distributed before November 2007 and before 9.2 MP3 and 10.0 MP2, allows remote attackers to cause a denial of service (web server crash) via a crafted URL. | ||
| CVE-2008-0902 | 0.00 | — | 0.00 | Feb 22, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in BEA WebLogic Server and Express 6.1 through 10.0 MP1 allow remote attackers to inject arbitrary web script or HTML via unspecified samples. NOTE: this might be the same issue as CVE-2007-2694. | ||
| CVE-2008-0900 | 0.00 | — | 0.05 | Feb 22, 2008 | Session fixation vulnerability in BEA WebLogic Server and Express 8.1 SP4 through SP6, 9.2 through MP1, and 10.0 allows remote authenticated users to hijack web sessions via unknown vectors. | ||
| CVE-2008-0901 | 0.00 | — | 0.01 | Feb 22, 2008 | BEA WebLogic Server and Express 7.0 through 10.0 allows remote attackers to conduct brute force password guessing attacks, even when account lockout has been activated, via crafted URLs that indicate whether a guessed password is successful or not. | ||
| CVE-2008-0895 | 0.00 | — | 0.00 | Feb 22, 2008 | BEA WebLogic Server and WebLogic Express 6.1 through 10.0 allows remote attackers to bypass authentication for application servlets via crafted request headers. |