Bea SystemsCVEs & Vulnerabilities

14 CVEs affecting Bea Systems products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

weblogic portal 7weblogic server 5weblogic express 3aqualogic interaction 3plumtree collaboration 3weblogic 1plumtree foundation 1apache connector in weblogic server 1
CVE-2010-2375MEDIUMpoc

Package/Privilege: Plugins for Apache, Sun and IIS web servers Unspecified vulnerability in the WebLogic Server component in Oracle Fusion Middleware 7.0 SP7, 8.1 SP6, 9.0, 9.1, 9.2 MP3, 10.0 MP2, 10.3.2, and 10.3.3 allows remote attackers to affect confidentiality and integrity, related to IIS.

14 Jul 2010
6.4
CVSS
CVE-2008-3257CRITICALpoc

Stack-based buffer overflow in the Apache Connector (mod_wl) in Oracle WebLogic Server (formerly BEA WebLogic Server) 10.3 and earlier allows remote attackers to execute arbitrary code via a long HTTP version string, as demonstrated by a string after "POST /.jsp" in an HTTP request.

22 Jul 2008
10.0
CVSS
CVE-2008-0896MEDIUM

BEA WebLogic Portal 10.0 and 9.2 through MP1, when an administrator deletes a single instance of a content portlet, removes entitlement policies for other content portlets, which allows attackers to bypass intended access restrictions.

23 Feb 2008
4.9
CVSS
CVE-2008-0900MEDIUM

Session fixation vulnerability in BEA WebLogic Server and Express 8.1 SP4 through SP6, 9.2 through MP1, and 10.0 allows remote authenticated users to hijack web sessions via unknown vectors.

23 Feb 2008
6.0
CVSS
CVE-2008-0901HIGH

BEA WebLogic Server and Express 7.0 through 10.0 allows remote attackers to conduct brute force password guessing attacks, even when account lockout has been activated, via crafted URLs that indicate whether a guessed password is successful or not.

23 Feb 2008
7.1
CVSS
CVE-2008-0902MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in BEA WebLogic Server and Express 6.1 through 10.0 MP1 allow remote attackers to inject arbitrary web script or HTML via unspecified samples. NOTE: this might be the same issue as CVE-2007-2694.

23 Feb 2008
4.3
CVSS
CVE-2008-0903MEDIUM

Unspecified vulnerability in the BEA WebLogic Server and Express proxy plugin, as distributed before November 2007 and before 9.2 MP3 and 10.0 MP2, allows remote attackers to cause a denial of service (web server crash) via a crafted URL.

23 Feb 2008
4.3
CVSS
CVE-2008-0904HIGH

Unspecified vulnerability in the download servlet in BEA Plumtree Collaboration 4.1 through SP2 and AquaLogic Interaction 4.2 through MP1 allows remote attackers to read arbitrary files via a crafted URL.

23 Feb 2008
7.8
CVSS
CVE-2008-0864MEDIUM

Admin Tools in BEA WebLogic Portal 8.1 SP3 through SP6 can inadvertently remove entitlements for pages when an administrator edits the page definition label, which might allow remote attackers to bypass intended access restrictions.

21 Feb 2008
5.0
CVSS
CVE-2008-0865MEDIUM

Unspecified vulnerability in BEA WebLogic Portal 8.1 through SP6 allows remote attackers to bypass entitlements for instances of a floatable WLP portlet via unknown vectors.

21 Feb 2008
5.0
CVSS
CVE-2008-0867MEDIUM

Cross-site scripting (XSS) vulnerability in portal/server.pt in BEA AquaLogic Interaction 6.1 through MP1 and Plumtree Foundation 6.0 through SP1 allows remote attackers to inject arbitrary web script or HTML via the name parameter.

21 Feb 2008
4.3
CVSS
CVE-2008-0868MEDIUM

Cross-site scripting (XSS) vulnerability in Groupspace in BEA WebLogic Portal 10.0 and 9.2 through Maintenance Pack 1 allows remote authenticated users to inject arbitrary web script or HTML via unknown vectors.

21 Feb 2008
4.3
CVSS
CVE-2008-0869MEDIUM

Cross-site scripting (XSS) vulnerability in BEA WebLogic Workshop 8.1 through SP6 and Workshop for WebLogic 9.0 through 10.0 allows remote attackers to inject arbitrary web script or HTML via a "framework defined request parameter" when using WebLogic Workshop or Apache Beehive NetUI framework with page flows.

21 Feb 2008
4.3
CVSS
CVE-2008-0870HIGH

BEA WebLogic Portal 10.0 and 9.2 through Maintenance Pack 2, under certain circumstances, can redirect a user from the https:// URI for the Portal Administration Console to an http URI, which allows remote attackers to sniff the session.

21 Feb 2008
7.5
CVSS
← PrevPage 1 / 1Next →