|
|
CVE Reference: CVE-2005-1747 |
|
| NOTE: The text on this page is written by CVE MITRE and reflects neither the opinions of Secunia or the results of our research. All data on this page is written and maintained by CVE MITRE. | |
|
Original Page at CVE MITRE: CVE-2005-1747 |
|
|
Description: Multiple cross-site scripting (XSS) vulnerabilities in BEA WebLogic Server and Express 8.1 through Service Pack 4, and 7.0 through Service Pack 6, allow remote attackers to inject arbitrary web script or HTML, and possibly gain administrative privileges, via the (1) j_username or (2) j_password parameters in the login page (LoginForm.jsp), (3) parameters to the error page in the Administration Console, (4) unknown vectors in the Server Console while the administrator has an active session to obtain the ADMINCONSOLESESSION cookie, or (5) an alternate vector in the Server Console that does not require an active session but also leaks the username and password. |
|
|
CVE Status: Candidate |
|
|
References: ST 1014049 SAID Secunia Advisory: SA15486 MISC http://www.appsecinc.com/resources/alerts/general/BEA-002.html http://www.acrossecurity.com/aspr/ASPR-2005-05-24-2-PUB.txt http://www.appsecinc.com/resources/alerts/general/BEA-001.html http://www.acrossecurity.com/aspr/ASPR-2005-05-24-1-PUB.txt BUGTRAQ http://marc.theaimsgroup.com/?l=bugtraq&m=111722380313416&w=2 http://marc.theaimsgroup.com/?l=bugtraq&m=111722298705561&w=2 http://marc.theaimsgroup.com/?l=bugtraq&m=111695844803328&w=2 http://marc.theaimsgroup.com/?l=bugtraq&m=111695921212456&w=2 BID 13717 BEA http://dev2dev.bea.com/pub/advisory/130 |
|
| Return to the previous page. |
