CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2008-0867
https://notcve.org/view.php?id=CVE-2008-0867
Cross-site scripting (XSS) vulnerability in portal/server.pt in BEA AquaLogic Interaction 6.1 through MP1 and Plumtree Foundation 6.0 through SP1 allows remote attackers to inject arbitrary web script or HTML via the name parameter. Una vulnerabilidad de tipo cross-site scripting (XSS) en el archivo portal/server.pt en BEA AquaLogic Interaction versión 6.1 hasta MP1 y Plumtree Foundation versión 6.0 hasta SP1, permite a los atacantes remotos inyectar script web o HTML arbitrario por medio del parámetro name. • http://dev2dev.bea.com/pub/advisory/259 http://secunia.com/advisories/29040 http://www.procheckup.com/Vulnerability_PR06-12.php http://www.securityfocus.com/archive/1/488346/100/100/threaded http://www.securitytracker.com/id?1019440 http://www.vupen.com/english/advisories/2008/0610 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 4EXPL: 0CVE-2008-0864
https://notcve.org/view.php?id=CVE-2008-0864
Admin Tools in BEA WebLogic Portal 8.1 SP3 through SP6 can inadvertently remove entitlements for pages when an administrator edits the page definition label, which might allow remote attackers to bypass intended access restrictions. Admin Tools en BEA WebLogic Portal 8.1 SP3 al SP6, involuntariamente puede eliminar los derechos para páginas cuando un administrador edita la etiqueta de definición de página, que podría permitir a atacantes remotos evitar las restricciones de acceso planeadas. • http://dev2dev.bea.com/pub/advisory/256 http://secunia.com/advisories/29041 http://www.securitytracker.com/id?1019454 http://www.vupen.com/english/advisories/2008/0613 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.0EPSS: 0%CPEs: 7EXPL: 0CVE-2008-0865
https://notcve.org/view.php?id=CVE-2008-0865
Unspecified vulnerability in BEA WebLogic Portal 8.1 through SP6 allows remote attackers to bypass entitlements for instances of a floatable WLP portlet via unknown vectors. Vulnerabilidad no especificada en BEA WebLogic Portal 8.1 hasta SP6 permite a atacantes remotos evitar los derechos para las instancias de un portlet WLP flotable mediante vectores desconocidos. • http://dev2dev.bea.com/pub/advisory/257 http://secunia.com/advisories/29041 http://www.securitytracker.com/id?1019451 http://www.vupen.com/english/advisories/2008/0613 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 1%CPEs: 4EXPL: 0CVE-2008-0870
https://notcve.org/view.php?id=CVE-2008-0870
BEA WebLogic Portal 10.0 and 9.2 through Maintenance Pack 2, under certain circumstances, can redirect a user from the https:// URI for the Portal Administration Console to an http URI, which allows remote attackers to sniff the session. BEA WebLogic Portal 10.0 y 9.2 desde el Maintenance Pack 2, bajo determinadas circunstancias, puede redireccionar a un usuario desde la URI https:// de la consola del Portal de Administración a una URI http://, que permitiría a atacantes remotos capturar la sesión. • http://dev2dev.bea.com/pub/advisory/264 http://secunia.com/advisories/29041 http://www.securitytracker.com/id?1019442 http://www.vupen.com/english/advisories/2008/0613 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •