Bea
Products
23- 160 CVEs
- 69 CVEs
- 17 CVEs
- 6 CVEs
- 5 CVEs
- 4 CVEs
- 4 CVEs
- 3 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
Recent CVEs
191| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2005-1744 | Cri | 0.64 | 9.8 | 0.02 | May 24, 2005 | BEA WebLogic Server and WebLogic Express 7.0 through Service Pack 5 does not log out users when an application is redeployed, which allows those users to continue to access the application without having to log in again, which may be in violation of newly changed security… | ||
| CVE-2000-0499 | Hig | 0.49 | 7.5 | 0.03 | Jun 8, 2000 | The default configuration of BEA WebLogic 3.1.8 through 4.5.1 allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case. | ||
| CVE-2004-2320 | Med | 0.35 | 5.3 | 0.03 | Dec 31, 2004 | The default configuration of BEA WebLogic Server and Express 8.1 SP2 and earlier, 7.0 SP4 and earlier, 6.1 through SP6, and 5.1 through SP13 responds to the HTTP TRACE request, which can allow remote attackers to steal information using cross-site tracing (XST) attacks in… | ||
| CVE-2008-3257 | 0.10 | — | 0.84 | Jul 22, 2008 | Stack-based buffer overflow in the Apache Connector (mod_wl) in Oracle WebLogic Server (formerly BEA WebLogic Server) 10.3 and earlier allows remote attackers to execute arbitrary code via a long HTTP version string, as demonstrated by a string after "POST /.jsp" in an HTTP… | |||
| CVE-2004-0204 | 0.09 | — | 0.73 | Aug 6, 2004 | Directory traversal vulnerability in the web viewers for Business Objects Crystal Reports 9 and 10, and Crystal Enterprise 9 or 10, as used in Visual Studio .NET 2003 and Outlook 2003 with Business Contact Manager, Microsoft Business Solutions CRM 1.2, and other products, allows… | |||
| CVE-2001-0098 | 0.09 | — | 0.78 | Feb 12, 2001 | Buffer overflow in Bea WebLogic Server before 5.1.0 allows remote attackers to execute arbitrary commands via a long URL that begins with a ".." string. | |||
| CVE-2008-5457 | 0.08 | — | 0.61 | Jan 14, 2009 | Unspecified vulnerability in the Oracle BEA WebLogic Server Plugins for Apache, Sun and IIS web servers component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, 8.1 SP6, and 7.0 SP7 allows remote attackers to affect confidentiality, integrity, and availability via… | |||
| CVE-2008-4008 | 0.08 | — | 0.56 | Oct 14, 2008 | Unspecified vulnerability in the WebLogic Server Plugins for Apache component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, 8.1 SP6, 7.0 SP7, and 6.1 SP7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the… | |||
| CVE-2010-2375 | 0.04 | — | 0.07 | Jul 13, 2010 | Package/Privilege: Plugins for Apache, Sun and IIS web servers Unspecified vulnerability in the WebLogic Server component in Oracle Fusion Middleware 7.0 SP7, 8.1 SP6, 9.0, 9.1, 9.2 MP3, 10.0 MP2, 10.3.2, and 10.3.3 allows remote attackers to affect confidentiality and… | |||
| CVE-2007-6198 | 0.04 | — | 0.07 | Dec 1, 2007 | portal/server.pt in the Plumtree portal in BEA AquaLogic Interaction 5.0.2 through 5.0.4 and 6.0.1.218452 allows wildcards in advanced searches for usernames, which allows remote attackers to enumerate valid usernames via the in_tx_fulltext parameter. | |||
| CVE-2003-0621 | 0.04 | — | 0.07 | Dec 1, 2003 | The Administration Console for BEA Tuxedo 8.1 and earlier allows remote attackers to determine the existence of files outside the web root via modified paths in the INIFILE argument. | |||
| CVE-2002-0106 | 0.04 | — | 0.07 | Mar 25, 2002 | BEA Systems Weblogic Server 6.1 allows remote attackers to cause a denial of service via a series of requests to .JSP files that contain an MS-DOS device name. | |||
| CVE-2000-0684 | 0.04 | — | 0.12 | Oct 20, 2000 | BEA WebLogic 5.1.x does not properly restrict access to the JSPServlet, which could allow remote attackers to compile and execute Java JSP code by directly invoking the servlet on any source file. | |||
| CVE-2000-0681 | 0.04 | — | 0.51 | Oct 20, 2000 | Buffer overflow in BEA WebLogic server proxy plugin allows remote attackers to execute arbitrary commands via a long URL with a .JSP extension. | |||
| CVE-2000-0685 | 0.04 | — | 0.12 | Oct 20, 2000 | BEA WebLogic 5.1.x does not properly restrict access to the PageCompileServlet, which could allow remote attackers to compile and execute Java JHTML code by directly invoking the servlet on any source file. | |||
| CVE-2005-1380 | 0.03 | — | 0.05 | May 3, 2005 | Cross-site scripting (XSS) vulnerability in BEA Admin Console 8.1 allows remote attackers to execute arbitrary web script or HTML via the server parameter to a JndiFramesetAction action. | |||
| CVE-2003-0624 | 0.03 | — | 0.03 | Dec 1, 2003 | Cross-site scripting (XSS) vulnerability in InteractiveQuery.jsp for BEA WebLogic 8.1 and earlier allows remote attackers to inject malicious web script via the person parameter. | |||
| CVE-2000-0500 | 0.03 | — | 0.05 | Jun 21, 2000 | The default configuration of BEA WebLogic 5.1.0 allows a remote attacker to view source code of programs by requesting a URL beginning with /file/, which causes the default servlet to display the file without further processing. | |||
| CVE-2007-2699 | 0.02 | — | 0.31 | May 16, 2007 | The Administration Console in BEA WebLogic Express and WebLogic Server 9.0 and 9.1 does not properly enforce certain Domain Security Policies, which allows remote administrative users in the Deployer role to upload arbitrary files. | |||
| CVE-2008-0900 | 0.01 | — | 0.10 | Feb 22, 2008 | Session fixation vulnerability in BEA WebLogic Server and Express 8.1 SP4 through SP6, 9.2 through MP1, and 10.0 allows remote authenticated users to hijack web sessions via unknown vectors. |
- risk 0.64cvss 9.8epss 0.02
BEA WebLogic Server and WebLogic Express 7.0 through Service Pack 5 does not log out users when an application is redeployed, which allows those users to continue to access the application without having to log in again, which may be in violation of newly changed security…
- risk 0.49cvss 7.5epss 0.03
The default configuration of BEA WebLogic 3.1.8 through 4.5.1 allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case.
- risk 0.35cvss 5.3epss 0.03
The default configuration of BEA WebLogic Server and Express 8.1 SP2 and earlier, 7.0 SP4 and earlier, 6.1 through SP6, and 5.1 through SP13 responds to the HTTP TRACE request, which can allow remote attackers to steal information using cross-site tracing (XST) attacks in…
- CVE-2008-3257Jul 22, 2008risk 0.10cvss —epss 0.84
Stack-based buffer overflow in the Apache Connector (mod_wl) in Oracle WebLogic Server (formerly BEA WebLogic Server) 10.3 and earlier allows remote attackers to execute arbitrary code via a long HTTP version string, as demonstrated by a string after "POST /.jsp" in an HTTP…
- CVE-2004-0204Aug 6, 2004risk 0.09cvss —epss 0.73
Directory traversal vulnerability in the web viewers for Business Objects Crystal Reports 9 and 10, and Crystal Enterprise 9 or 10, as used in Visual Studio .NET 2003 and Outlook 2003 with Business Contact Manager, Microsoft Business Solutions CRM 1.2, and other products, allows…
- CVE-2001-0098Feb 12, 2001risk 0.09cvss —epss 0.78
Buffer overflow in Bea WebLogic Server before 5.1.0 allows remote attackers to execute arbitrary commands via a long URL that begins with a ".." string.
- CVE-2008-5457Jan 14, 2009risk 0.08cvss —epss 0.61
Unspecified vulnerability in the Oracle BEA WebLogic Server Plugins for Apache, Sun and IIS web servers component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, 8.1 SP6, and 7.0 SP7 allows remote attackers to affect confidentiality, integrity, and availability via…
- CVE-2008-4008Oct 14, 2008risk 0.08cvss —epss 0.56
Unspecified vulnerability in the WebLogic Server Plugins for Apache component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, 8.1 SP6, 7.0 SP7, and 6.1 SP7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the…
- CVE-2010-2375Jul 13, 2010risk 0.04cvss —epss 0.07
Package/Privilege: Plugins for Apache, Sun and IIS web servers Unspecified vulnerability in the WebLogic Server component in Oracle Fusion Middleware 7.0 SP7, 8.1 SP6, 9.0, 9.1, 9.2 MP3, 10.0 MP2, 10.3.2, and 10.3.3 allows remote attackers to affect confidentiality and…
- CVE-2007-6198Dec 1, 2007risk 0.04cvss —epss 0.07
portal/server.pt in the Plumtree portal in BEA AquaLogic Interaction 5.0.2 through 5.0.4 and 6.0.1.218452 allows wildcards in advanced searches for usernames, which allows remote attackers to enumerate valid usernames via the in_tx_fulltext parameter.
- CVE-2003-0621Dec 1, 2003risk 0.04cvss —epss 0.07
The Administration Console for BEA Tuxedo 8.1 and earlier allows remote attackers to determine the existence of files outside the web root via modified paths in the INIFILE argument.
- CVE-2002-0106Mar 25, 2002risk 0.04cvss —epss 0.07
BEA Systems Weblogic Server 6.1 allows remote attackers to cause a denial of service via a series of requests to .JSP files that contain an MS-DOS device name.
- CVE-2000-0684Oct 20, 2000risk 0.04cvss —epss 0.12
BEA WebLogic 5.1.x does not properly restrict access to the JSPServlet, which could allow remote attackers to compile and execute Java JSP code by directly invoking the servlet on any source file.
- CVE-2000-0681Oct 20, 2000risk 0.04cvss —epss 0.51
Buffer overflow in BEA WebLogic server proxy plugin allows remote attackers to execute arbitrary commands via a long URL with a .JSP extension.
- CVE-2000-0685Oct 20, 2000risk 0.04cvss —epss 0.12
BEA WebLogic 5.1.x does not properly restrict access to the PageCompileServlet, which could allow remote attackers to compile and execute Java JHTML code by directly invoking the servlet on any source file.
- CVE-2005-1380May 3, 2005risk 0.03cvss —epss 0.05
Cross-site scripting (XSS) vulnerability in BEA Admin Console 8.1 allows remote attackers to execute arbitrary web script or HTML via the server parameter to a JndiFramesetAction action.
- CVE-2003-0624Dec 1, 2003risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in InteractiveQuery.jsp for BEA WebLogic 8.1 and earlier allows remote attackers to inject malicious web script via the person parameter.
- CVE-2000-0500Jun 21, 2000risk 0.03cvss —epss 0.05
The default configuration of BEA WebLogic 5.1.0 allows a remote attacker to view source code of programs by requesting a URL beginning with /file/, which causes the default servlet to display the file without further processing.
- CVE-2007-2699May 16, 2007risk 0.02cvss —epss 0.31
The Administration Console in BEA WebLogic Express and WebLogic Server 9.0 and 9.1 does not properly enforce certain Domain Security Policies, which allows remote administrative users in the Deployer role to upload arbitrary files.
- CVE-2008-0900Feb 22, 2008risk 0.01cvss —epss 0.10
Session fixation vulnerability in BEA WebLogic Server and Express 8.1 SP4 through SP6, 9.2 through MP1, and 10.0 allows remote authenticated users to hijack web sessions via unknown vectors.