CVSS: 7.8EPSS: 93%CPEs: 3EXPL: 13CVE-2023-21839 – Oracle WebLogic Server Unspecified Vulnerability
https://notcve.org/view.php?id=CVE-2023-21839
17 Jan 2023 — Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentialit... • https://packetstorm.news/files/id/172882 • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-21838 – Oracle WebLogic Server IIOP Protocol Deserialization of Untrusted Data Denial-of-Service Vulnerability
https://notcve.org/view.php?id=CVE-2023-21838
17 Jan 2023 — Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server. CVSS 3.1 Base Score 7.5 (Availab... • https://www.oracle.com/security-alerts/cpujan2023.html • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1CVE-2023-21837
https://notcve.org/view.php?id=CVE-2023-21837
17 Jan 2023 — Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality im... • https://github.com/hktalent/CVE-2023-21837 • CWE-306: Missing Authentication for Critical Function •
CVSS: 5.2EPSS: 0%CPEs: 3EXPL: 0CVE-2022-21616
https://notcve.org/view.php?id=CVE-2022-21616
18 Oct 2022 — Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Container). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle WebLogic Server executes to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle ... • https://www.oracle.com/security-alerts/cpuoct2022.html •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2022-21564
https://notcve.org/view.php?id=CVE-2022-21564
19 Jul 2022 — Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebLogic Server. CVSS 3.1 Base Score 5.3 (Availabili... • https://www.oracle.com/security-alerts/cpujul2022.html •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2022-21560
https://notcve.org/view.php?id=CVE-2022-21560
19 Jul 2022 — Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebLogic Server. CVSS 3.1 Base Score 5.3 (Availability impac... • https://www.oracle.com/security-alerts/cpujul2022.html •
CVSS: 5.7EPSS: 0%CPEs: 3EXPL: 0CVE-2022-21557
https://notcve.org/view.php?id=CVE-2022-21557
19 Jul 2022 — Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Container). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle WebLogic Server executes to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebLogi... • https://www.oracle.com/security-alerts/cpujul2022.html •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-21548
https://notcve.org/view.php?id=CVE-2022-21548
19 Jul 2022 — Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data and unauthorized ability to cause a partial den... • https://www.oracle.com/security-alerts/cpujul2022.html •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 1CVE-2022-24891 – Cross-site Scripting in org.owasp.esapi:esapi -- antisamy-esapi.xml configuration file
https://notcve.org/view.php?id=CVE-2022-24891
27 Apr 2022 — ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the **antisamy-esapi.xml** configuration file that can cause "javascript:" URLs to fail to be correctly sanitized. This issue is patched in ESAPI 2.3.0.0. As a workaround, manually edit the **antisamy-esapi.xml** configuration files to change the ... • https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin8.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 1CVE-2022-23457 – Path Traversal in ESAPI
https://notcve.org/view.php?id=CVE-2022-23457
25 Apr 2022 — ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path. This vulnerability is patched in release 2.3.0... • https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •