There is an HTML Injection vulnerability in WebLogic Server 10 Administration Console that allows the attacker to gain administrative access to the server. It is possible to craft such URL that will, when requested from the server, return a document with arbitrarily chosen HTML injected. An obvious use for this type of vulnerability is cross- site scripting that can be used, among other things, for obtaining session cookies from WebLogic administrators. These cookies, when stolen, provide the attacker with administrative access to WebLogic Administration Console, compromising the security of the entire web server.

http://www.securiteam.com/securitynews/5RP0J0KNQW.html