The default configuration of BEA WebLogic Server and Express 8.1 SP2 and earlier, 7.0 SP4 and earlier, 6.1 through SP6, and 5.1 through SP13 responds to the HTTP TRACE request, which can allow remote attackers to steal information using cross-site tracing (XST) attacks in applications that are vulnerable to cross-site scripting.

The remote host is running BEA WebLogic. Multiple undisclosed vulnerabilities have been reported in every version of WebLogic up to and including 8.1.0 SP2. An attacker may exploit these issues to gain unauthorized access or to gather information about the remote host. BEA WebLogic 8.1 Service Pack 3 addresses these vulnerabilities. 

According to its banner, the remote web server is BEA WebLogic version 8.1 SP2 or older.  There are multiple vulnerabilities in such versions that may allow unauthorized access on the remote host or to get the content of the remote JSP scripts.

The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that are used to debug web server connections.

ID	Name	Product	Family	Severity
2282	BEA WebLogic < 8.1.0 SP 3 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	medium
14722	WebLogic < 8.1 SP3 Multiple Vulnerabilities	Nessus	CGI abuses	high
11213	HTTP TRACE / TRACK Methods Allowed	Nessus	Web Servers	medium

Detections

Analytics

CVE-2004-2320

medium

Tenable Plugins

medium

high

medium