CVE-2020-9314

moderate-risk
Published 2020-05-10

** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** Oracle iPlanet Web Server 7.0.x allows image injection in the Administration console via the productNameSrc parameter to an admingui URI. This issue exists because of an incomplete fix for CVE-2012-0516. NOTE: a related support policy can be found in the www.oracle.com references attached to this CVE.

Do I need to act?

!
12.0% chance of exploitation in next 30 days
EPSS score — higher than 88% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.8/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Oracle

References (8)

Mailing List http://seclists.org/fulldisclosure/2020/May/31
Vendor Advisory https://www.oracle.com/support/lifetime-support/
Vendor Advisory https://www.oracle.com/us/assets/lifetime-support-middleware-069163.pdf
Third Party Advisory https://wwws.nightwatchcybersecurity.com/2020/05/10/two-vulnerabilities-in-oracl...
Mailing List http://seclists.org/fulldisclosure/2020/May/31
Vendor Advisory https://www.oracle.com/support/lifetime-support/
Vendor Advisory https://www.oracle.com/us/assets/lifetime-support-middleware-069163.pdf
Third Party Advisory https://wwws.nightwatchcybersecurity.com/2020/05/10/two-vulnerabilities-in-oracl...
36
/ 100
moderate-risk
Severity 19/34 · Moderate
Exploitability 12/34 · Low
Exposure 5/34 · Minimal