National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • CPE Product Version: cpe:/a:oracle:application_server:9.0.2
There are 33 matching records.
Displaying matches 21 through 33.
Vuln ID Summary CVSS Severity
CVE-2002-1635

The Apache configuration file (httpd.conf) in Oracle 9i Application Server (9iAS) uses a Location alias for /perl directory instead of a ScriptAlias, which allows remote attackers to read the source code of arbitrary CGI files via a URL containing the /perl directory instead of /cgi-bin.

Published: December 31, 2002; 12:00:00 AM -05:00
    V2: 5.0 MEDIUM
CVE-2002-1858

Oracle Oracle9i Application Server 1.0.2.2 and 9.0.2 through 9.0.2.0.1, when running on Windows, allows remote attackers to retrieve files in the WEB-INF directory, which contains Java class files and configuration information, via a request to the WEB-INF directory with a trailing dot ("WEB-INF.").

Published: December 31, 2002; 12:00:00 AM -05:00
    V2: 5.0 MEDIUM
CVE-2002-2345

Oracle 9i Application Server 9.0.2 stores the web cache administrator interface password in plaintext, which allows remote attackers to gain access.

Published: December 31, 2002; 12:00:00 AM -05:00
    V2: 7.5 HIGH
CVE-2002-2347

Cross-site scripting (XSS) vulnerability in Oracle Java Server Page (OJSP) demo files (1) hellouser.jsp, (2) welcomeuser.jsp and (3) usebean.jsp in Oracle 9i Application Server 9.0.2, 1.0.2.2, 1.0.2.1s and 1.0.2 allows remote attackers to inject arbitrary web script or HTML via the text entry field.

Published: December 31, 2002; 12:00:00 AM -05:00
    V2: 4.3 MEDIUM
CVE-2002-0386

The administration module for Oracle Web Cache in Oracle9iAS (9i Application Suite) 9.0.2 allows remote attackers to cause a denial of service (crash) via (1) an HTTP GET request containing a ".." (dot dot) sequence, or (2) a malformed HTTP GET request with a chunked Transfer-Encoding with missing data.

Published: November 04, 2002; 12:00:00 AM -05:00
    V2: 5.0 MEDIUM
CVE-2002-0840

Cross-site scripting (XSS) vulnerability in the default error page of Apache 2.0 before 2.0.43, and 1.3.x up to 1.3.26, when UseCanonicalName is "Off" and support for wildcard DNS is present, allows remote attackers to execute script as other web page visitors via the Host: header, a different vulnerability than CAN-2002-1157.

Published: October 11, 2002; 12:00:00 AM -04:00
    V2: 6.8 MEDIUM
CVE-2002-0843

Buffer overflows in the ApacheBench benchmark support program (ab.c) in Apache before 1.3.27, and Apache 2.x before 2.0.43, allow a malicious web server to cause a denial of service and possibly execute arbitrary code via a long response.

Published: October 11, 2002; 12:00:00 AM -04:00
    V2: 7.5 HIGH
CVE-2002-0947

Buffer overflow in rwcgi60 CGI program for Oracle Reports Server 6.0.8.18.0 and earlier, as used in Oracle9iAS and other products, allows remote attackers to execute arbitrary code via a long database name parameter.

Published: October 04, 2002; 12:00:00 AM -04:00
    V2: 7.5 HIGH
CVE-2002-1089

rwcgi60 CGI program in Oracle Reports Server, by design, provides sensitive information such as the full pathname, which could enable remote attackers to use the information in additional attacks.

Published: October 04, 2002; 12:00:00 AM -04:00
    V2: 5.0 MEDIUM
CVE-2002-0655

OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, does not properly handle ASCII representations of integers on 64 bit platforms, which could allow attackers to cause a denial of service and possibly execute arbitrary code.

Published: August 12, 2002; 12:00:00 AM -04:00
    V2: 7.5 HIGH
CVE-2002-0656

Buffer overflows in OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, allow remote attackers to execute arbitrary code via (1) a large client master key in SSL2 or (2) a large session ID in SSL3.

Published: August 12, 2002; 12:00:00 AM -04:00
    V2: 7.5 HIGH
CVE-2002-0659

The ASN1 library in OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, allows remote attackers to cause a denial of service via invalid encodings.

Published: August 12, 2002; 12:00:00 AM -04:00
    V2: 5.0 MEDIUM
CVE-2002-1637

Multiple components in Oracle 9i Application Server (9iAS) are installed with over 160 default usernames and passwords, including (1) SYS, (2) SYSTEM, (3) AQJAVA, (4) OWA, (5) IMAGEUSER, (6) USER1, (7) USER2, (8) PLSQL, (9) DEMO, (10) FINANCE, and many others, which allows attackers to gain privileges.

Published: February 26, 2002; 12:00:00 AM -05:00
    V2: 4.6 MEDIUM