Page 22 of 152 results (0.005 seconds)

CVSS: 5.8EPSS: 0%CPEs: 85EXPL: 0

The default configuration of BEA WebLogic Server and Express 8.1 SP2 and earlier, 7.0 SP4 and earlier, 6.1 through SP6, and 5.1 through SP13 responds to the HTTP TRACE request, which can allow remote attackers to steal information using cross-site tracing (XST) attacks in applications that are vulnerable to cross-site scripting. • http://dev2dev.bea.com/pub/advisory/68 http://secunia.com/advisories/10726 http://www.kb.cert.org/vuls/id/867593 http://www.osvdb.org/3726 http://www.securityfocus.com/bid/9506 http://www.securitytracker.com/alerts/2004/Jan/1008866.html https://exchange.xforce.ibmcloud.com/vulnerabilities/14959 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 2.1EPSS: 0%CPEs: 3EXPL: 0

BEA WebLogic Server and Express 8.1 SP1 and earlier allows local users in the Operator role to obtain administrator passwords via MBean attributes, including (1) ServerStartMBean.Password and (2) NodeManagerMBean.CertificatePassword. • http://dev2dev.bea.com/pub/advisory/1 http://www.securityfocus.com/bid/9505 http://www.securitytracker.com/alerts/2004/Jan/1008867.html https://exchange.xforce.ibmcloud.com/vulnerabilities/14962 •

CVSS: 5.5EPSS: 0%CPEs: 61EXPL: 0

BEA WebLogic Server and WebLogic Express 6.1, 7.0, and 8.1, when using Remote Method Invocation (RMI) over Internet Inter-ORB Protocol (IIOP), does not properly handle when multiple logins for different users coming from the same client, which could cause an "unexpected user identity" to be used in an RMI call. • http://dev2dev.bea.com/pub/advisory/59 http://secunia.com/advisories/11865 http://securitytracker.com/id?1010493 http://www.osvdb.org/7081 http://www.securityfocus.com/bid/10545 https://exchange.xforce.ibmcloud.com/vulnerabilities/16421 • CWE-255: Credentials Management Errors •

CVSS: 7.5EPSS: 0%CPEs: 21EXPL: 0

The URL pattern matching feature in BEA WebLogic Server 6.x matches illegal patterns ending in "*" as wildcards as if they were the legal "/*" pattern, which could cause WebLogic 7.x to allow remote attackers to bypass intended access restrictions because the illegal patterns are properly rejected. La característica de coincidencia de patrones en URL de WebLogic Server 6.x encuentra coincidencias en patrones ilegales terminados en "*" como comodines como si fueran el patrón legal "/", lo que podría causar que usuarios remotos se saltaran las restricciones de acceso pretendidas porque los patrones ilegales son rechazados adecuadamente. • http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_56.00.jsp http://www.kb.cert.org/vuls/id/184558 http://www.securityfocus.com/bid/10184 https://exchange.xforce.ibmcloud.com/vulnerabilities/15927 •

CVSS: 6.4EPSS: 1%CPEs: 44EXPL: 0

The remove method in a stateful Enterprise JavaBean (EJB) in BEA WebLogic Server and WebLogic Express version 8.1 through SP2, 7.0 through SP4, and 6.1 through SP6, does not properly check EJB permissions before unexporting a bean, which allows remote authenticated users to remove EJB objects from remote views before the security exception is thrown. El método remove en una Enterprise JavaBean (EJB) con estado en BEA WebLogic Server y WebLogic Express version 8.1 hasta SP2, 7.0 hasta SP4, y 6.1 a SP6, no comprueba adecuadamente permisos EJB antes de dejar de exportar una habichuela (bean), lo que permite a usuarios remotos autenticados eliminar objetos EJB de vistas remotas antes de que se lance la excepción de seguridad. • http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_57.00.jsp http://www.kb.cert.org/vuls/id/658878 http://www.securityfocus.com/bid/10185 https://exchange.xforce.ibmcloud.com/vulnerabilities/15928 •