{"api_version":"1","generated_at":"2026-04-23T05:14:05+00:00","cve":"CVE-2008-0866","urls":{"html":"https://cve.report/CVE-2008-0866","api":"https://cve.report/api/cve/CVE-2008-0866.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2008-0866","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2008-0866"},"summary":{"title":"CVE-2008-0866","description":"Multiple cross-site scripting (XSS) vulnerabilities in BEA WebLogic Workshop allow remote attackers to inject arbitrary web script or HTML via an invalid action URI, which is not properly handled by NetUI page flows.","state":"PUBLISHED","assigner":"mitre","published_at":"2008-02-21 01:44:00","updated_at":"2026-04-23 00:35:47"},"problem_types":["CWE-79","n/a"],"metrics":[{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"4.3","severity":"","vector":"AV:N/AC:M/Au:N/C:N/I:P/A:N","data":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","baseScore":4.3,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE"}}],"references":[{"url":"http://dev2dev.bea.com/pub/advisory/258","name":"http://dev2dev.bea.com/pub/advisory/258","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"Oracle Fusion Middleware Technologies","mime":"text/html","httpstatus":"200","archivestatus":"406"},{"url":"http://www.vupen.com/english/advisories/2008/0611","name":"http://www.vupen.com/english/advisories/2008/0611","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"Webmail : Solution de messagerie professionnelle - OVHcloud- OVH","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securitytracker.com/id?1019441","name":"http://www.securitytracker.com/id?1019441","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"WebLogic Workshop NetUI Input Validation Bugs Permit Cross-Site Scripting Attacks - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://secunia.com/advisories/29041","name":"http://secunia.com/advisories/29041","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"About Secunia Research | Flexera","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2008-0866","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2008-0866","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2008","cve_id":"866","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"bea","cpe5":"weblogic_workshop","cpe6":"8.1","cpe7":"sp2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2008","cve_id":"866","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"bea","cpe5":"weblogic_workshop","cpe6":"8.1","cpe7":"sp3","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2008","cve_id":"866","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"bea","cpe5":"weblogic_workshop","cpe6":"8.1","cpe7":"sp4","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2008","cve_id":"866","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"bea","cpe5":"weblogic_workshop","cpe6":"8.1","cpe7":"sp5","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-07T08:01:40.100Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"name":"1019441","tags":["vdb-entry","x_refsource_SECTRACK","x_transferred"],"url":"http://www.securitytracker.com/id?1019441"},{"name":"BEA08-185.00","tags":["vendor-advisory","x_refsource_BEA","x_transferred"],"url":"http://dev2dev.bea.com/pub/advisory/258"},{"name":"29041","tags":["third-party-advisory","x_refsource_SECUNIA","x_transferred"],"url":"http://secunia.com/advisories/29041"},{"name":"ADV-2008-0611","tags":["vdb-entry","x_refsource_VUPEN","x_transferred"],"url":"http://www.vupen.com/english/advisories/2008/0611"}],"title":"CVE Program Container"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"datePublic":"2008-02-19T00:00:00.000Z","descriptions":[{"lang":"en","value":"Multiple cross-site scripting (XSS) vulnerabilities in BEA WebLogic Workshop allow remote attackers to inject arbitrary web script or HTML via an invalid action URI, which is not properly handled by NetUI page flows."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2008-03-11T09:00:00.000Z","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"name":"1019441","tags":["vdb-entry","x_refsource_SECTRACK"],"url":"http://www.securitytracker.com/id?1019441"},{"name":"BEA08-185.00","tags":["vendor-advisory","x_refsource_BEA"],"url":"http://dev2dev.bea.com/pub/advisory/258"},{"name":"29041","tags":["third-party-advisory","x_refsource_SECUNIA"],"url":"http://secunia.com/advisories/29041"},{"name":"ADV-2008-0611","tags":["vdb-entry","x_refsource_VUPEN"],"url":"http://www.vupen.com/english/advisories/2008/0611"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2008-0866","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Multiple cross-site scripting (XSS) vulnerabilities in BEA WebLogic Workshop allow remote attackers to inject arbitrary web script or HTML via an invalid action URI, which is not properly handled by NetUI page flows."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"1019441","refsource":"SECTRACK","url":"http://www.securitytracker.com/id?1019441"},{"name":"BEA08-185.00","refsource":"BEA","url":"http://dev2dev.bea.com/pub/advisory/258"},{"name":"29041","refsource":"SECUNIA","url":"http://secunia.com/advisories/29041"},{"name":"ADV-2008-0611","refsource":"VUPEN","url":"http://www.vupen.com/english/advisories/2008/0611"}]}}}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2008-0866","datePublished":"2008-02-21T01:00:00.000Z","dateReserved":"2008-02-20T00:00:00.000Z","dateUpdated":"2024-08-07T08:01:40.100Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2008-02-21 01:44:00","lastModifiedDate":"2026-04-23 00:35:47","problem_types":["CWE-79","n/a"],"metrics":{"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","baseScore":4.3,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:bea:weblogic_workshop:8.1:sp2:*:*:*:*:*:*","matchCriteriaId":"AD6F9694-259F-4631-BC93-B1136F08E77E"},{"vulnerable":true,"criteria":"cpe:2.3:a:bea:weblogic_workshop:8.1:sp3:*:*:*:*:*:*","matchCriteriaId":"77624161-7740-4162-9C83-C0DFEA2BBCCC"},{"vulnerable":true,"criteria":"cpe:2.3:a:bea:weblogic_workshop:8.1:sp4:*:*:*:*:*:*","matchCriteriaId":"E785D039-3426-4C1F-BBA8-7C6D32FB141E"},{"vulnerable":true,"criteria":"cpe:2.3:a:bea:weblogic_workshop:8.1:sp5:*:*:*:*:*:*","matchCriteriaId":"D4B2A474-B6C4-47B6-8B20-8722A8C25238"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2008","CveId":"866","Ordinal":"1","Title":"CVE-2008-0866","CVE":"CVE-2008-0866","Year":"2008"},"notes":[{"CveYear":"2008","CveId":"866","Ordinal":"1","NoteData":"Multiple cross-site scripting (XSS) vulnerabilities in BEA WebLogic Workshop allow remote attackers to inject arbitrary web script or HTML via an invalid action URI, which is not properly handled by NetUI page flows.","Type":"Description","Title":"CVE-2008-0866"},{"CveYear":"2008","CveId":"866","Ordinal":"2","NoteData":"2008-02-20","Type":"Other","Title":"Published"},{"CveYear":"2008","CveId":"866","Ordinal":"3","NoteData":"2008-03-11","Type":"Other","Title":"Modified"}]}}}