Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Bea Subscribe
Filtered by product Weblogic Server
Total 150 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2004-0470 1 Bea 1 Weblogic Server 2017-07-10 7.5 HIGH N/A
BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 through SP2, when editing weblogic.xml using WebLogic Builder or the SecurityRoleAssignmentMBean.toXML method, inadvertently removes security-role-assignment tags when weblogic.xml does not have a principal-name tag, which can remove intended access restrictions for the associated web application.
CVE-2004-0471 1 Bea 1 Weblogic Server 2017-07-10 2.1 LOW N/A
BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 through SP2 does not enforce site restrictions for starting and stopping servers for users in the Admin and Operator security roles, which allows unauthorized users to cause a denial of service (service shutdown).
CVE-2004-0652 1 Bea 1 Weblogic Server 2017-07-10 7.2 HIGH N/A
BEA WebLogic Server and WebLogic Express 7.0 through 7.0 Service Pack 4, and 8.1 through 8.1 Service Pack 2, allows attackers to obtain the username and password for booting the server by directly accessing certain internal methods.
CVE-2004-0712 1 Bea 1 Weblogic Server 2017-07-10 4.6 MEDIUM N/A
The configuration tools (1) config.sh in Unix or (2) config.cmd in Windows for BEA WebLogic Server 8.1 through SP2 create a log file that contains the administrative username and password in cleartext, which could allow local users to gain privileges.
CVE-2003-0622 1 Bea 2 Tuxedo, Weblogic Server 2017-07-10 5.0 MEDIUM N/A
The Administration Console for BEA Tuxedo 8.1 and earlier allows remote attackers to cause a denial of service (hang) via pathname arguments that contain MS-DOS device names such as CON and AUX.
CVE-2003-1095 1 Bea 1 Weblogic Server 2017-07-10 4.6 MEDIUM N/A
BEA WebLogic Server and Express 7.0 and 7.0.0.1, when using "memory" session persistence for web applications, does not clear authentication information when a web application is redeployed, which could allow users of that application to gain access without having to re-authenticate.
CVE-2003-1094 1 Bea 1 Weblogic Server 2017-07-10 7.2 HIGH N/A
BEA WebLogic Server and Express version 7.0 SP3 may follow certain code execution paths that result in an incorrect current user, such as in the frequent use of JNDI initial contexts, which could allow remote authenticated users to gain privileges.
CVE-2003-1093 1 Bea 1 Weblogic Server 2017-07-10 4.6 MEDIUM N/A
BEA WebLogic Server 6.1, 7.0 and 7.0.0.1, when routing messages to a JMS target domain that is inaccessible, may leak the user's password when it throws a ResourceAllocationException.
CVE-2000-1238 1 Bea 1 Weblogic Server 2017-07-10 7.5 HIGH N/A
BEA Systems WebLogic Express and WebLogic Server 5.1 SP1-SP6 allows remote attackers to bypass access controls for restricted JSP or servlet pages via a URL with multiple / (forward slash) characters before the restricted pages.
CVE-2003-0624 1 Bea 1 Weblogic Server 2017-07-10 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in InteractiveQuery.jsp for BEA WebLogic 8.1 and earlier allows remote attackers to inject malicious web script via the person parameter.
CVE-2003-0623 1 Bea 2 Tuxedo, Weblogic Server 2017-07-10 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Administration Console for BEA Tuxedo 8.1 and earlier allows remote attackers to inject arbitrary web script via the INIFILE argument.
CVE-2003-0621 1 Bea 2 Tuxedo, Weblogic Server 2017-07-10 5.0 MEDIUM N/A
The Administration Console for BEA Tuxedo 8.1 and earlier allows remote attackers to determine the existence of files outside the web root via modified paths in the INIFILE argument.
CVE-2003-0151 1 Bea 1 Weblogic Server 2016-10-17 7.5 HIGH N/A
BEA WebLogic Server and Express 6.0 through 7.0 does not properly restrict access to certain internal servlets that perform administrative functions, which allows remote attackers to read arbitrary files or execute arbitrary code.
CVE-2002-0106 1 Bea 1 Weblogic Server 2016-10-17 5.0 MEDIUM N/A
BEA Systems Weblogic Server 6.1 allows remote attackers to cause a denial of service via a series of requests to .JSP files that contain an MS-DOS device name.
CVE-2008-0902 2 Bea, Bea Systems 2 Weblogic Server, Weblogic Server 2011-03-07 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in BEA WebLogic Server and Express 6.1 through 10.0 MP1 allow remote attackers to inject arbitrary web script or HTML via unspecified samples. NOTE: this might be the same issue as CVE-2007-2694.
CVE-2008-0898 1 Bea 1 Weblogic Server 2011-03-07 5.8 MEDIUM N/A
The distributed queue feature in JMS in BEA WebLogic Server 9.0 through 10.0, in certain configurations, does not properly handle when a client cannot send a message to a member of a distributed queue, which allows remote authenticated users to bypass intended access restrictions for protected distributed queues.
CVE-2008-0900 2 Bea, Bea Systems 2 Weblogic Server, Weblogic Express 2011-03-07 6.0 MEDIUM N/A
Session fixation vulnerability in BEA WebLogic Server and Express 8.1 SP4 through SP6, 9.2 through MP1, and 10.0 allows remote authenticated users to hijack web sessions via unknown vectors.
CVE-2008-0899 1 Bea 1 Weblogic Server 2011-03-07 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Administration Console in BEA WebLogic Server and Express 9.0 through 10.0 allows remote attackers to inject arbitrary web script or HTML via URLs that are not properly handled by the Unexpected Exception Page.
CVE-2008-0863 1 Bea 1 Weblogic Server 2011-03-07 5.0 MEDIUM N/A
BEA WebLogic Server and WebLogic Express 9.0 and 9.1 exposes the web service's WSDL and security policies, which allows remote attackers to obtain sensitive information and potentially launch further attacks.
CVE-2008-0869 2 Bea, Bea Systems 3 Weblogic Server, Weblogic Workshop, Weblogic 2011-03-07 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in BEA WebLogic Workshop 8.1 through SP6 and Workshop for WebLogic 9.0 through 10.0 allows remote attackers to inject arbitrary web script or HTML via a "framework defined request parameter" when using WebLogic Workshop or Apache Beehive NetUI framework with page flows.