CVE-2005-1747

BEA WebLogic Server 7.0-8.1 - Cross-Site Scripting via Login Parameters and Console Pages

Title source: llm
STIX 2.1

Description

Multiple cross-site scripting (XSS) vulnerabilities in BEA WebLogic Server and Express 8.1 through Service Pack 4, and 7.0 through Service Pack 6, allow remote attackers to inject arbitrary web script or HTML, and possibly gain administrative privileges, via the (1) j_username or (2) j_password parameters in the login page (LoginForm.jsp), (3) parameters to the error page in the Administration Console, (4) unknown vectors in the Server Console while the administrator has an active session to obtain the ADMINCONSOLESESSION cookie, or (5) an alternate vector in the Server Console that does not require an active session but also leaks the username and password.

References (13)

Core 13
Core References
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=111695921212456&w=2
Vendor Advisory vendor-advisory x_refsource_bea
http://dev2dev.bea.com/pub/advisory/130
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/15486
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=111722380313416&w=2
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1014049
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2005/0607
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=111695844803328&w=2
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/13717
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=111722298705561&w=2

Scores

EPSS 0.0267
EPSS Percentile 86.0%

Details

Status published
Products (4)
bea/weblogic_server 6.0 (9 CPE variants)
bea/weblogic_server 6.1 (20 CPE variants)
bea/weblogic_server 7.0 (18 CPE variants)
bea/weblogic_server 7.0.0.1 (3 CPE variants)
Published May 24, 2005
Tracked Since Feb 18, 2026