CVE-2020-9314
MEDIUM EXPLOITED NUCLEIOracle iPlanet Web Server 7.0-7.0.26 - Cross-Site Scripting via Administration Console admingui productNameSrc Parameter
Title source: llmExploitation Summary
CVE-2020-9314 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.
Description
** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** Oracle iPlanet Web Server 7.0.x allows image injection in the Administration console via the productNameSrc parameter to an admingui URI. This issue exists because of an incomplete fix for CVE-2012-0516. NOTE: a related support policy can be found in the www.oracle.com references attached to this CVE.
Nuclei Templates (1)
Oracle iPlanet Web Server 7.0.x - Image Injection
MEDIUMby DhiyaneshDk
Shodan:
Oracle-iPlanet-Web-Server
FOFA:
app="Oracle-iPlanet-Web-Server"
References (4)
Core 4
Core References
Vendor Advisory x_refsource_misc
https://www.oracle.com/support/lifetime-support/
Vendor Advisory x_refsource_misc
https://www.oracle.com/us/assets/lifetime-support-middleware-069163.pdf
Third Party Advisory x_refsource_misc
https://wwws.nightwatchcybersecurity.com/2020/05/10/two-vulnerabilities-in-oracles-iplanet-web-server-cve-2020-9315-and-cve-2020-9314/
Mailing List, Third Party Advisory mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2020/May/31
Scores
CVSS v3
4.8
EPSS
0.0128
EPSS Percentile
66.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Details
VulnCheck KEV
2026-02-11
CWE
CWE-79
Status
published
Products (1)
oracle/iplanet_web_server
7.0 - 7.0.27
Published
May 10, 2020
Tracked Since
Feb 18, 2026