#VU27700 Code Injection in Sun ONE/iPlanet Web Server
Vulnerability identifier: #VU27700
Vulnerability risk: Low
CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:U/RC:C]
CVE-ID:
CWE-ID:
CWE-94
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Sun ONE/iPlanet Web Server
Server applications /
Web servers
Vendor: Sun
Description
The vulnerability allows a remote attacker to perform a phishing attack.
The vulnerability exists due to improper input validation when processing HTTP requests within the "/admingui/version/" URL in the Administration Console. A remote attacker can send a specially crafted request and permanently inject arbitrary images.
Note, this vulnerability exists due to incomplete fix of SB2012050302 (CVE-2012-0516).
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Note, this product is no longer supported by the vendor.
Vulnerable software versions
Sun ONE/iPlanet Web Server: 7.0
External links
http://www.oracle.com/support/lifetime-support/
http://www.oracle.com/us/assets/lifetime-support-middleware-069163.pdf
http://wwws.nightwatchcybersecurity.com/2020/05/10/two-vulnerabilities-in-oracles-iplanet-web-server-cve-2020-9315-and-cve-2020-9314/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
