Total
150 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2005-1749 | 2 Bea, Oracle | 2 Weblogic Server, Weblogic Portal | 2024-02-28 | 5.0 MEDIUM | N/A |
Buffer overflow in BEA WebLogic Server and WebLogic Express 6.1 Service Pack 4 allows remote attackers to cause a denial of service (CPU consumption from thread looping). | |||||
CVE-2006-0420 | 1 Bea | 1 Weblogic Server | 2024-02-28 | 5.0 MEDIUM | N/A |
BEA WebLogic Server and WebLogic Express 8.1 through SP4 and 7.0 through SP6 does not properly handle when servlets use relative forwarding, which allows remote attackers to cause a denial of service (slowdown) via unknown attack vectors that cause "looping stack overflow errors." | |||||
CVE-2006-2546 | 1 Bea | 1 Weblogic Server | 2024-02-28 | 5.0 MEDIUM | N/A |
A recommended admin password reset mechanism for BEA WebLogic Server 8.1, when followed before October 10, 2005, causes the administrator password to be stored in cleartext in the domain directory, which could allow attackers to gain privileges. | |||||
CVE-2006-0431 | 1 Bea | 1 Weblogic Server | 2024-02-28 | 2.1 LOW | N/A |
Unspecified vulnerability in BEA WebLogic Server and WebLogic Express 8.1 SP5 allows untrusted applications to obtain the server's SSL identity via unknown attack vectors. | |||||
CVE-2003-1437 | 6 Bea, Hp, Ibm and 3 more | 8 Weblogic Server, Hp-ux, Aix and 5 more | 2024-02-28 | 2.1 LOW | N/A |
BEA WebLogic Express and WebLogic Server 7.0 and 7.0.0.1, stores passwords in plaintext when a keystore is used to store a private key or trust certificate authorities, which allows local users to gain access. | |||||
CVE-2003-1223 | 1 Bea | 1 Weblogic Server | 2024-02-28 | 5.0 MEDIUM | N/A |
The Node Manager for BEA WebLogic Express and Server 6.1 through 8.1 SP 1 allows remote attackers to cause a denial of service (Node Manager crash) via malformed data to the Node Manager's port, as demonstrated by nmap. | |||||
CVE-2003-0151 | 1 Bea | 1 Weblogic Server | 2024-02-28 | 7.5 HIGH | N/A |
BEA WebLogic Server and Express 6.0 through 7.0 does not properly restrict access to certain internal servlets that perform administrative functions, which allows remote attackers to read arbitrary files or execute arbitrary code. | |||||
CVE-2003-1222 | 1 Bea | 1 Weblogic Server | 2024-02-28 | 5.0 MEDIUM | N/A |
BEA Weblogic Express and Server 8.0 through 8.1 SP 1, when using a foreign Java Message Service (JMS) provider, echoes the password for the foreign provider to the console and stores it in cleartext in config.xml, which could allow attackers to obtain the password. | |||||
CVE-2004-0204 | 4 Bea, Borland Software, Businessobjects and 1 more | 9 Weblogic Server, J Builder, Crystal Enterprise and 6 more | 2024-02-28 | 7.5 HIGH | N/A |
Directory traversal vulnerability in the web viewers for Business Objects Crystal Reports 9 and 10, and Crystal Enterprise 9 or 10, as used in Visual Studio .NET 2003 and Outlook 2003 with Business Contact Manager, Microsoft Business Solutions CRM 1.2, and other products, allows remote attackers to read and delete arbitrary files via ".." sequences in the dynamicimag argument to crystalimagehandler.aspx. | |||||
CVE-2003-1093 | 1 Bea | 1 Weblogic Server | 2024-02-28 | 4.6 MEDIUM | N/A |
BEA WebLogic Server 6.1, 7.0 and 7.0.0.1, when routing messages to a JMS target domain that is inaccessible, may leak the user's password when it throws a ResourceAllocationException. | |||||
CVE-2003-1095 | 1 Bea | 1 Weblogic Server | 2024-02-28 | 4.6 MEDIUM | N/A |
BEA WebLogic Server and Express 7.0 and 7.0.0.1, when using "memory" session persistence for web applications, does not clear authentication information when a web application is redeployed, which could allow users of that application to gain access without having to re-authenticate. | |||||
CVE-2003-1224 | 1 Bea | 1 Weblogic Server | 2024-02-28 | 2.1 LOW | N/A |
Weblogic.admin for BEA WebLogic Server and Express 7.0 and 7.0.0.1 displays the JDBCConnectionPoolRuntimeMBean password to the screen in cleartext, which allows attackers to read a user's password by physically observing ("shoulder surfing") the screen. | |||||
CVE-2004-0712 | 1 Bea | 1 Weblogic Server | 2024-02-28 | 4.6 MEDIUM | N/A |
The configuration tools (1) config.sh in Unix or (2) config.cmd in Windows for BEA WebLogic Server 8.1 through SP2 create a log file that contains the administrative username and password in cleartext, which could allow local users to gain privileges. | |||||
CVE-2003-1221 | 1 Bea | 1 Weblogic Server | 2024-02-28 | 5.0 MEDIUM | N/A |
BEA WebLogic Express and Server 7.0 through 8.1 SP 1, under certain circumstances when a request to use T3 over SSL (t3s) is made to the insecure T3 port, may use a non-SSL connection for the communication, which could allow attackers to sniff sessions. | |||||
CVE-2004-1757 | 1 Bea | 1 Weblogic Server | 2024-02-28 | 4.6 MEDIUM | N/A |
BEA WebLogic Server and Express 8.1, SP1 and earlier, stores the administrator password in cleartext in config.xml, which allows local users to gain privileges. | |||||
CVE-2002-1030 | 1 Bea | 1 Weblogic Server | 2024-02-28 | 2.6 LOW | N/A |
Race condition in Performance Pack in BEA WebLogic Server and Express 5.1.x, 6.0.x, 6.1.x and 7.0 allows remote attackers to cause a denial of service (crash) via a flood of data and connections. | |||||
CVE-2004-0713 | 1 Bea | 1 Weblogic Server | 2024-02-28 | 6.4 MEDIUM | N/A |
The remove method in a stateful Enterprise JavaBean (EJB) in BEA WebLogic Server and WebLogic Express version 8.1 through SP2, 7.0 through SP4, and 6.1 through SP6, does not properly check EJB permissions before unexporting a bean, which allows remote authenticated users to remove EJB objects from remote views before the security exception is thrown. | |||||
CVE-2003-0622 | 1 Bea | 2 Tuxedo, Weblogic Server | 2024-02-28 | 5.0 MEDIUM | N/A |
The Administration Console for BEA Tuxedo 8.1 and earlier allows remote attackers to cause a denial of service (hang) via pathname arguments that contain MS-DOS device names such as CON and AUX. | |||||
CVE-2004-0652 | 1 Bea | 1 Weblogic Server | 2024-02-28 | 7.2 HIGH | N/A |
BEA WebLogic Server and WebLogic Express 7.0 through 7.0 Service Pack 4, and 8.1 through 8.1 Service Pack 2, allows attackers to obtain the username and password for booting the server by directly accessing certain internal methods. | |||||
CVE-2000-0681 | 1 Bea | 1 Weblogic Server | 2024-02-28 | 10.0 HIGH | N/A |
Buffer overflow in BEA WebLogic server proxy plugin allows remote attackers to execute arbitrary commands via a long URL with a .JSP extension. |