3 results (0.009 seconds)

CVSS: 4.9EPSS: 0%CPEs: 2EXPL: 0

BEA WebLogic Portal 10.0 and 9.2 through MP1, when an administrator deletes a single instance of a content portlet, removes entitlement policies for other content portlets, which allows attackers to bypass intended access restrictions. BEA WebLogic Portal 10.0 y de 9.2 a MP1, cuando un administrador elimina una instancia única de un portlet de contenido, elimina las políticas de derechos para otros portlets de contenido, lo que permite a atacantes evitar las restricciones de acceso previstas. • http://dev2dev.bea.com/pub/advisory/266 http://secunia.com/advisories/29041 http://www.securitytracker.com/id?1019453 http://www.vupen.com/english/advisories/2008/0613 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0

Cross-site scripting (XSS) vulnerability in Groupspace in BEA WebLogic Portal 10.0 and 9.2 through Maintenance Pack 1 allows remote authenticated users to inject arbitrary web script or HTML via unknown vectors. Vulnerabilidad de ejecución de comandos en sitios cruzados en BEA WebLogic Portal 10.0 y 9.2 desde el Maintenance Pack 1, que permite a usuarios autentificados remotamente inyectar secuencias de comandos web o HTML de su elección a través de vectores desconocidos. • http://dev2dev.bea.com/pub/advisory/261 http://secunia.com/advisories/29041 http://www.securitytracker.com/id?1019452 http://www.vupen.com/english/advisories/2008/0613 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 1%CPEs: 4EXPL: 0

BEA WebLogic Portal 10.0 and 9.2 through Maintenance Pack 2, under certain circumstances, can redirect a user from the https:// URI for the Portal Administration Console to an http URI, which allows remote attackers to sniff the session. BEA WebLogic Portal 10.0 y 9.2 desde el Maintenance Pack 2, bajo determinadas circunstancias, puede redireccionar a un usuario desde la URI https:// de la consola del Portal de Administración a una URI http://, que permitiría a atacantes remotos capturar la sesión. • http://dev2dev.bea.com/pub/advisory/264 http://secunia.com/advisories/29041 http://www.securitytracker.com/id?1019442 http://www.vupen.com/english/advisories/2008/0613 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •