National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • CPE Product Version: cpe:/a:bea:weblogic_server:6.1:sp6:win32
There are 59 matching records.
Displaying matches 41 through 59.
Vuln ID Summary CVSS Severity
CVE-2005-1748

The embedded LDAP server in BEA WebLogic Server and Express 8.1 through Service Pack 4, and 7.0 through Service Pack 5, allows remote anonymous binds, which may allow remote attackers to view user entries or cause a denial of service.

Published: May 24, 2005; 12:00:00 AM -04:00
    V2: 5.0 MEDIUM
CVE-2005-1749

Buffer overflow in BEA WebLogic Server and WebLogic Express 6.1 Service Pack 4 allows remote attackers to cause a denial of service (CPU consumption from thread looping).

Published: May 24, 2005; 12:00:00 AM -04:00
    V2: 5.0 MEDIUM
CVE-2004-1757

BEA WebLogic Server and Express 8.1, SP1 and earlier, stores the administrator password in cleartext in config.xml, which allows local users to gain privileges.

Published: December 31, 2004; 12:00:00 AM -05:00
    V2: 4.6 MEDIUM
CVE-2004-2320

The default configuration of BEA WebLogic Server and Express 8.1 SP2 and earlier, 7.0 SP4 and earlier, 6.1 through SP6, and 5.1 through SP13 responds to the HTTP TRACE request, which can allow remote attackers to steal information using cross-site tracing (XST) attacks in applications that are vulnerable to cross-site scripting.

Published: December 31, 2004; 12:00:00 AM -05:00
    V2: 5.8 MEDIUM
CVE-2004-2696

BEA WebLogic Server and WebLogic Express 6.1, 7.0, and 8.1, when using Remote Method Invocation (RMI) over Internet Inter-ORB Protocol (IIOP), does not properly handle when multiple logins for different users coming from the same client, which could cause an "unexpected user identity" to be used in an RMI call.

Published: December 31, 2004; 12:00:00 AM -05:00
    V2: 5.5 MEDIUM
CVE-2004-0713

The remove method in a stateful Enterprise JavaBean (EJB) in BEA WebLogic Server and WebLogic Express version 8.1 through SP2, 7.0 through SP4, and 6.1 through SP6, does not properly check EJB permissions before unexporting a bean, which allows remote authenticated users to remove EJB objects from remote views before the security exception is thrown.

Published: July 27, 2004; 12:00:00 AM -04:00
    V2: 6.4 MEDIUM
CVE-2004-1758

BEA WebLogic Server and WebLogic Express version 8.1 up to SP2, 7.0 up to SP4, and 6.1 up to SP6 may store the database username and password for an untargeted JDBC connection pool in plaintext in config.xml, which allows local users to gain privileges.

Published: April 13, 2004; 12:00:00 AM -04:00
    V2: 4.6 MEDIUM
CVE-2003-1093

BEA WebLogic Server 6.1, 7.0 and 7.0.0.1, when routing messages to a JMS target domain that is inaccessible, may leak the user's password when it throws a ResourceAllocationException.

Published: December 31, 2003; 12:00:00 AM -05:00
    V2: 4.6 MEDIUM
CVE-2003-1220

BEA WebLogic Server proxy plugin for BEA Weblogic Express and Server 6.1 through 8.1 SP 1 allows remote attackers to cause a denial of service (proxy plugin crash) via a malformed URL.

Published: December 31, 2003; 12:00:00 AM -05:00
    V2: 5.0 MEDIUM
CVE-2003-1223

The Node Manager for BEA WebLogic Express and Server 6.1 through 8.1 SP 1 allows remote attackers to cause a denial of service (Node Manager crash) via malformed data to the Node Manager's port, as demonstrated by nmap.

Published: December 31, 2003; 12:00:00 AM -05:00
    V2: 5.0 MEDIUM
CVE-2003-1290

BEA WebLogic Server and WebLogic Express 6.1, 7.0, and 8.1, with RMI and anonymous admin lookup enabled, allows remote attackers to obtain configuration information by accessing MBeanHome via the Java Naming and Directory Interface (JNDI).

Published: December 31, 2003; 12:00:00 AM -05:00
    V2: 5.0 MEDIUM
CVE-2003-1438

Race condition in BEA WebLogic Server and Express 5.1 through 7.0.0.1, when using in-memory session replication or replicated stateful session beans, causes the same buffer to be provided to two users, which could allow one user to see session data that was intended for another user.

Published: December 31, 2003; 12:00:00 AM -05:00
    V2: 4.3 MEDIUM
CVE-2003-0624

Cross-site scripting (XSS) vulnerability in InteractiveQuery.jsp for BEA WebLogic 8.1 and earlier allows remote attackers to inject malicious web script via the person parameter.

Published: December 01, 2003; 12:00:00 AM -05:00
    V2: 4.3 MEDIUM
CVE-2003-0640

BEA WebLogic Server and Express, when using NodeManager to start servers, provides Operator users with privileges to overwrite usernames and passwords, which may allow Operators to gain Admin privileges.

Published: August 27, 2003; 12:00:00 AM -04:00
    V2: 10.0 HIGH
CVE-2003-0151

BEA WebLogic Server and Express 6.0 through 7.0 does not properly restrict access to certain internal servlets that perform administrative functions, which allows remote attackers to read arbitrary files or execute arbitrary code.

Published: March 24, 2003; 12:00:00 AM -05:00
    V2: 7.5 HIGH
CVE-2002-2142

An undocumented extension for the Servlet mappings in the Servlet 2.3 specification, when upgrading to WebLogic Server and Express 7.0 Service Pack 1 from BEA WebLogic Server and Express 6.0 through 7.0.0.1, does not prepend a "/" character in certain URL patterns, which prevents the proper enforcement of role mappings and policies in applications that use the extension.

Published: December 31, 2002; 12:00:00 AM -05:00
    V2: 7.5 HIGH
CVE-2002-2177

BEA WebLogic Server and Express 6.1 through 7.0.0.1 buffers HTTP requests in a way that can cause BEA to send the same response for two different HTTP requests, which could allow remote attackers to obtain sensitive information that was intended for other users.

Published: December 31, 2002; 12:00:00 AM -05:00
    V2: 2.6 LOW
CVE-2002-1030

Race condition in Performance Pack in BEA WebLogic Server and Express 5.1.x, 6.0.x, 6.1.x and 7.0 allows remote attackers to cause a denial of service (crash) via a flood of data and connections.

Published: October 04, 2002; 12:00:00 AM -04:00
    V2: 2.6 LOW
CVE-2002-0106

BEA Systems Weblogic Server 6.1 allows remote attackers to cause a denial of service via a series of requests to .JSP files that contain an MS-DOS device name.

Published: March 25, 2002; 12:00:00 AM -05:00
    V2: 5.0 MEDIUM