Multiple vulnerabilities in Oracle WebLogic Server
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 6 |
| CVE-ID | CVE-2024-23635 CVE-2024-29857 CVE-2025-21549 CVE-2024-47554 CVE-2023-7272 CVE-2025-21535 |
| CWE-ID | CWE-79 CWE-400 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Oracle WebLogic Server Server applications / Application servers |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 6 vulnerabilities.
1) Cross-site scripting
EUVDB-ID: #VU86736
Risk: Low
CVSSv3.1: 4.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-23635
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when parsing comment tags. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of the vulnerability requires that the preserveComments directive is enabled in policy file.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle WebLogic Server: 14.1.1.0.0
CPE2.3 External linkshttp://www.oracle.com/security-alerts/cpujan2025.html?3219
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Resource exhaustion
EUVDB-ID: #VU89218
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-29857
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to library does not properly control consumption of internal resources when importing an EC certificate with specially crafted F2m parameters. A remote attacker can pass a specially crafted certificate to the application to trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle WebLogic Server: 12.2.1.4.0 - 14.1.1.0.0
CPE2.3- cpe:2.3:a:oracle:oracle_weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
http://www.oracle.com/security-alerts/cpujan2025.html?3219
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper input validation
EUVDB-ID: #VU103150
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2025-21549
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Core component in Oracle WebLogic Server. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle WebLogic Server: 14.1.1.0.0
CPE2.3 External linkshttp://www.oracle.com/security-alerts/cpujan2025.html?3219
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Resource exhaustion
EUVDB-ID: #VU98025
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-47554
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when handling untrusted input passed to the org.apache.commons.io.input.XmlStreamReader class. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle WebLogic Server: 12.2.1.4.0 - 14.1.2.0.0
CPE2.3- cpe:2.3:a:oracle:oracle_weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_weblogic_server:14.1.2.0.0:*:*:*:*:*:*:*
http://www.oracle.com/security-alerts/cpujan2025.html?3219
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improper input validation
EUVDB-ID: #VU103149
Risk: High
CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-7272
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to a crash the entire system.
The vulnerability exists due to improper input validation within the Centralized Thirdparty Jars (Eclipse Parsson) component in Oracle WebLogic Server. A remote non-authenticated attacker can exploit this vulnerability to a crash the entire system.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle WebLogic Server: 12.2.1.4.0 - 14.1.1.0.0
CPE2.3- cpe:2.3:a:oracle:oracle_weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
http://www.oracle.com/security-alerts/cpujan2025.html?3219
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Improper input validation
EUVDB-ID: #VU103148
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2025-21535
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the Core component in Oracle WebLogic Server. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle WebLogic Server: 12.2.1.4.0 - 14.1.1.0.0
CPE2.3- cpe:2.3:a:oracle:oracle_weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
http://www.oracle.com/security-alerts/cpujan2025.html?3219
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
