|
|
Info |
Last Modified |
| 8 months ago |
|
|
|
|
Description |
The Bea Tuxedo and WebLogic Enterprise administration console contains a flaw that allows an unauthenticated remote user to determine whether a given local file exists, perform a XSS attack, and potentially crash the server process. This flaw exists because the application does not validate the INIFILE variable upon submission to the admin console CGI script. This could allow a user to create a specially crafted URL that would execute arbitrary code in an administrative user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
|
|
Classification |
Unknown or Incomplete
|
|
Solution |
Upgrade to version 8.1 and apply Rolling Patch 62, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. If upgrading to 8.1 is not possible, contact the vendor for a patch specific to your version.
|
|
Products |
|
WebLogic Server
 |
5.1 |
4.2 |
5.0.1 |
Tuxedo
|
6.3 |
6.4 |
6.5 |
7.1 |
8.0 |
8.1 |
|
|
|
|
|
Credit |
Unknown or Incomplete
|
|
BlogsProvided by Technorati
|
None found at this time
|
|
|
