Vulnerabilities (CVE)

Filtered by vendor Bea Subscribe
Filtered by product Weblogic Server
Total 150 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2006-2470 1 Bea 1 Weblogic Server 2025-04-03 7.5 HIGH N/A
Unspecified vulnerability in the WebLogic Server Administration Console for BEA WebLogic Server 9.0 prevents the console from setting custom JDBC security policies correctly, which could allow attackers to bypass intended policies.
CVE-2003-0640 1 Bea 1 Weblogic Server 2025-04-03 10.0 HIGH N/A
BEA WebLogic Server and Express, when using NodeManager to start servers, provides Operator users with privileges to overwrite usernames and passwords, which may allow Operators to gain Admin privileges.
CVE-2004-0713 1 Bea 1 Weblogic Server 2025-04-03 6.4 MEDIUM N/A
The remove method in a stateful Enterprise JavaBean (EJB) in BEA WebLogic Server and WebLogic Express version 8.1 through SP2, 7.0 through SP4, and 6.1 through SP6, does not properly check EJB permissions before unexporting a bean, which allows remote authenticated users to remove EJB objects from remote views before the security exception is thrown.
CVE-2005-4759 1 Bea 1 Weblogic Server 2025-04-03 5.0 MEDIUM N/A
BEA WebLogic Server and WebLogic Express 8.1 and 7.0, during a migration across operating system platforms, do not warn the administrative user about platform differences in URLResource case sensitivity, which might cause local users to inadvertently lose protection of Web Application pages.
CVE-2002-2142 1 Bea 2 Weblogic Integration, Weblogic Server 2025-04-03 7.5 HIGH N/A
An undocumented extension for the Servlet mappings in the Servlet 2.3 specification, when upgrading to WebLogic Server and Express 7.0 Service Pack 1 from BEA WebLogic Server and Express 6.0 through 7.0.0.1, does not prepend a "/" character in certain URL patterns, which prevents the proper enforcement of role mappings and policies in applications that use the extension.
CVE-2005-4767 1 Bea 1 Weblogic Server 2025-04-03 5.1 MEDIUM N/A
BEA WebLogic Server and WebLogic Express 8.1 SP5 and earlier, and 7.0 SP6 and earlier, when using username/password authentication, does not lock out a username after the maximum number of invalid login attempts, which makes it easier for remote attackers to guess the password.
CVE-2006-0430 1 Bea 1 Weblogic Server 2025-04-03 5.0 MEDIUM N/A
Certain configurations of BEA WebLogic Server and WebLogic Express 9.0, 8.1 through SP5, and 7.0 through SP6, when connection filters are enabled, cause the server to run more slowly, which makes it easier for remote attackers to cause a denial of service (server slowdown).
CVE-2003-1223 1 Bea 1 Weblogic Server 2025-04-03 5.0 MEDIUM N/A
The Node Manager for BEA WebLogic Express and Server 6.1 through 8.1 SP 1 allows remote attackers to cause a denial of service (Node Manager crash) via malformed data to the Node Manager's port, as demonstrated by nmap.
CVE-2005-4766 1 Bea 1 Weblogic Server 2025-04-03 5.4 MEDIUM N/A
BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, and 7.0 SP5 and earlier, do not encrypt multicast traffic, which might allow remote attackers to read sensitive cluster synchronization messages by sniffing the multicast traffic.
CVE-2005-1380 1 Bea 1 Weblogic Server 2025-04-03 6.8 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in BEA Admin Console 8.1 allows remote attackers to execute arbitrary web script or HTML via the server parameter to a JndiFramesetAction action.
CVE-2003-1226 1 Bea 1 Weblogic Server 2025-04-03 2.1 LOW N/A
BEA WebLogic Server and Express 7.0 and 7.0.0.1 stores certain secrets concerning password encryption insecurely in config.xml, filerealm.properties, and weblogic-rar.xml, which allows local users to learn those secrets and decrypt passwords.
CVE-2005-1744 1 Bea 1 Weblogic Server 2025-04-03 7.5 HIGH 9.8 CRITICAL
BEA WebLogic Server and WebLogic Express 7.0 through Service Pack 5 does not log out users when an application is redeployed, which allows those users to continue to access the application without having to log in again, which may be in violation of newly changed security constraints or role mappings.
CVE-2005-4762 1 Bea 1 Weblogic Server 2025-04-03 7.2 HIGH N/A
BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, 7.0 SP6 and earlier, and 6.1 SP7 and earlier sometimes stores the boot password in the registry in cleartext, which might allow local users to gain administrative privileges.
CVE-2003-0733 1 Bea 3 Liquid Data, Weblogic Integration, Weblogic Server 2025-04-03 6.8 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in WebLogic Integration 7.0 and 2.0, Liquid Data 1.1, and WebLogic Server and Express 5.1 through 7.0, allow remote attackers to execute arbitrary web script and steal authentication credentials via (1) a forward instruction to the Servlet container or (2) other vulnerabilities in the WebLogic Server console application.
CVE-2003-1094 1 Bea 1 Weblogic Server 2025-04-03 7.2 HIGH N/A
BEA WebLogic Server and Express version 7.0 SP3 may follow certain code execution paths that result in an incorrect current user, such as in the frequent use of JNDI initial contexts, which could allow remote authenticated users to gain privileges.
CVE-2004-2424 1 Bea 1 Weblogic Server 2025-04-03 5.0 MEDIUM N/A
BEA WebLogic Server and WebLogic Express 8.1 through 8.1 SP2 allow remote attackers to cause a denial of service (network port consumption) via unknown actions in HTTPS sessions, which prevents the server from releasing the network port when the session ends.
CVE-2006-0432 1 Bea 1 Weblogic Server 2025-04-03 2.1 LOW N/A
Unspecified vulnerability in BEA WebLogic Server and WebLogic Express 9.0, when an Administrator uses the WebLogic Administration Console to add custom security policies, causes incorrect policies to be created, which prevents the server from properly protecting JNDI resources.
CVE-2006-0424 1 Bea 1 Weblogic Server 2025-04-03 4.0 MEDIUM N/A
BEA WebLogic Server and WebLogic Express 8.1 through SP4, 7.0 through SP6, and 6.1 through SP7 allows remote authenticated guest users to read the server log and obtain sensitive configuration information.
CVE-2003-0622 1 Bea 2 Tuxedo, Weblogic Server 2025-04-03 5.0 MEDIUM N/A
The Administration Console for BEA Tuxedo 8.1 and earlier allows remote attackers to cause a denial of service (hang) via pathname arguments that contain MS-DOS device names such as CON and AUX.
CVE-2006-0419 1 Bea 1 Weblogic Server 2025-04-03 6.4 MEDIUM N/A
BEA WebLogic Server and WebLogic Express 9.0, 8.1 through SP5, and 7.0 through SP6 allows anonymous binds to the embedded LDAP server, which allows remote attackers to read user entries or cause a denial of service (unspecified) via a large number of connections.