Vulnerability Name:

CVE-2008-0902 (CCN-34365)

Assigned:2007-05-15
Published:2007-05-15
Updated:2011-03-08
Summary:Multiple cross-site scripting (XSS) vulnerabilities in BEA WebLogic Server and Express 6.1 through 10.0 MP1 allow remote attackers to inject arbitrary web script or HTML via unspecified samples.
Note: this might be the same issue as CVE-2007-2694.
CVSS v3 Severity:3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
2.6 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N)
2.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2007-2694

Source: MITRE
Type: CNA
CVE-2008-0902

Source: BEA
Type: Patch
BEA08-80.04

Source: CCN
Type: SA25284
BEA Products Multiple Vulnerabilities

Source: CCN
Type: SA29041
BEA WebLogic Products Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
29041

Source: CCN
Type: OSVDB ID: 36075
BEA WebLogic Unspecified XSS

Source: CCN
Type: OSVDB ID: 41899
BEA WebLogic Multiple Unspecified XSS

Source: CCN
Type: BID-23979
Multiple BEA WebLogic Applications Multiple Vulnerabilities

Source: VUPEN
Type: UNKNOWN
ADV-2008-0612

Source: XF
Type: UNKNOWN
weblogic-unspecified-xss(34365)

Source: CCN
Type: BEA07-80.03
Patches available to prevent multiple cross-site scripting (XSS) vulnerabilities

Vulnerable Configuration:Configuration 1:
  • cpe:/a:bea:weblogic_server:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_server:6.1:sp1:*:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_server:6.1:sp2:*:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_server:6.1:sp3:*:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_server:6.1:sp4:*:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_server:6.1:sp5:*:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_server:6.1:sp6:*:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_server:6.1:sp7:*:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_server:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_server:7.0:sp1:*:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_server:7.0:sp2:*:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_server:7.0:sp3:*:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_server:7.0:sp4:*:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_server:7.0:sp5:*:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_server:7.0:sp6:*:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_server:7.0:sp7:*:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_server:8.1:*:*:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_server:8.1:sp1:*:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_server:8.1:sp2:*:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_server:8.1:sp3:*:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_server:8.1:sp4:*:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_server:8.1:sp5:*:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_server:8.1:sp6:*:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_server:9.0:ga:*:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_server:9.1:ga:*:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_server:10.0:*:*:*:*:*:*:*
  • OR cpe:/a:bea_systems:weblogic_server:10.0_mp1:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    bea weblogic server 6.1
    bea weblogic server 6.1 sp1
    bea weblogic server 6.1 sp2
    bea weblogic server 6.1 sp3
    bea weblogic server 6.1 sp4
    bea weblogic server 6.1 sp5
    bea weblogic server 6.1 sp6
    bea weblogic server 6.1 sp7
    bea weblogic server 7.0
    bea weblogic server 7.0 sp1
    bea weblogic server 7.0 sp2
    bea weblogic server 7.0 sp3
    bea weblogic server 7.0 sp4
    bea weblogic server 7.0 sp5
    bea weblogic server 7.0 sp6
    bea weblogic server 7.0 sp7
    bea weblogic server 8.1
    bea weblogic server 8.1 sp1
    bea weblogic server 8.1 sp2
    bea weblogic server 8.1 sp3
    bea weblogic server 8.1 sp4
    bea weblogic server 8.1 sp5
    bea weblogic server 8.1 sp6
    bea weblogic server 9.0 ga
    bea weblogic server 9.1 ga
    bea weblogic server 10.0
    bea_systems weblogic server 10.0_mp1