CVE-2012-0516
published 2012-05-03CVE-2012-0516: Unspecified vulnerability in the Oracle iPlanet Web Server component in Oracle Sun Products Suite 7.0 allows remote attackers to affect confidentiality…
PriorityP342medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
2.91%
85.3th percentile
Unspecified vulnerability in the Oracle iPlanet Web Server component in Oracle Sun Products Suite 7.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Administration Console.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | iplanet_web_server | 7.0 – 7.0.27 | — |
| oracle | sun_products_suite | — | — |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8fc5-c477-8j2w: ** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** Oracle iPlanet Web Server 7
ghsa_unreviewed·2022-05-24·CVSS 6.8
CVE-2020-9314 [MEDIUM] CWE-74 GHSA-8fc5-c477-8j2w: ** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** Oracle iPlanet Web Server 7
** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** Oracle iPlanet Web Server 7.0.x allows image injection in the Administration console via the productNameSrc parameter to an admingui URI. This issue exists because of an incomplete fix for CVE-2012-0516. NOTE: a related support policy can be found in the www.oracle.com references attached to this CVE.
GHSA
GHSA-g6r9-732f-vcc2: Unspecified vulnerability in the Oracle iPlanet Web Server component in Oracle Sun Products Suite 7
ghsa_unreviewed·2022-05-04
CVE-2012-0516 [MEDIUM] GHSA-g6r9-732f-vcc2: Unspecified vulnerability in the Oracle iPlanet Web Server component in Oracle Sun Products Suite 7
Unspecified vulnerability in the Oracle iPlanet Web Server component in Oracle Sun Products Suite 7.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Administration Console.
VulnCheck
Oracle iplanet_web_server Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2020·CVSS 6.8
CVE-2020-9314 [MEDIUM] Oracle iplanet_web_server Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Oracle iplanet_web_server Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** Oracle iPlanet Web Server 7.0.x allows image injection in the Administration console via the productNameSrc parameter to an admingui URI. This issue exists because of an incomplete fix for CVE-2012-0516. NOTE: a related support policy can be found in the www.oracle.com references attached to this CVE.
Affected: Oracle iplanet_web_server
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://tracker.crowdsec.net/cves/CVE-2020-9314
No detection rules found.
Nuclei
Oracle iPlanet Web Server 7.0.x - Image Injection
nuclei·CVSS 6.8
CVE-2020-9314 [MEDIUM] Oracle iPlanet Web Server 7.0.x - Image Injection
Oracle iPlanet Web Server 7.0.x - Image Injection
Oracle iPlanet Web Server 7.0.x allows image injection in the Administration console via the productNameSrc parameter to an admingui URI. This issue exists because of an incomplete fix for CVE-2012-0516.
Template:
id: CVE-2020-9314
info:
name: Oracle iPlanet Web Server 7.0.x - Image Injection
author: DhiyaneshDk
severity: medium
description: |
Oracle iPlanet Web Server 7.0.x allows image injection in the Administration console via the productNameSrc parameter to an admingui URI. This issue exists because of an incomplete fix for CVE-2012-0516.
impact: |
Attackers can inject malicious images into the admin console, potentially leading to social engineering, phishing attacks, or interface manipulation.
remediation: |
Oracle iPlanet Web Se
Bugzilla
CVE-2012-0478 Mozilla: Crash with WebGL content using textImage2D (MFSA 2012-30)
bugzilla·2012-04-22·CVSS 9.3
CVE-2012-0478 [CRITICAL] CVE-2012-0478 Mozilla: Crash with WebGL content using textImage2D (MFSA 2012-30)
CVE-2012-0478 Mozilla: Crash with WebGL content using textImage2D (MFSA 2012-30)
Mozilla community member Ms2ger found an image rendering issue with WebGL when texImage2D uses use JSVAL_TO_OBJECT on arbitrary objects. This can lead to a crash on a maliciously crafted web page. While there is no evidence that this is directly exploitable, there is a possibility of remote code execution.
Reference:
http://www.mozilla.org/security/announce/2012/mfsa2012-30.html
Discussion:
Acknowledgements:
Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Ms2ger as the original reporter.
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Via RHSA-2012:0516 https://rhn.redhat.com/errata/RHSA-2012
Bugzilla
CVE-2012-0471 Mozilla: Potential XSS via multibyte content processing errors (MFSA 2012-24)
bugzilla·2012-04-22·CVSS 4.3
CVE-2012-0471 [MEDIUM] CVE-2012-0471 Mozilla: Potential XSS via multibyte content processing errors (MFSA 2012-24)
CVE-2012-0471 Mozilla: Potential XSS via multibyte content processing errors (MFSA 2012-24)
Anne van Kesteren of Opera Software found a multi-octet encoding issue where certain octets will destroy the following octets in the processing of some multibyte character sets. This can leave users vulnerable to cross-site scripting (XSS) attacks on maliciously crafted web pages.
Reference:
http://www.mozilla.org/security/announce/2012/mfsa2012-24.html
Discussion:
Acknowledgements:
Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Anne van Kesteren of Opera Software as the original reporter.
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Via RHSA-2012:0516 https://rhn.redhat.com/er
Bugzilla
CVE-2012-0470 Mozilla: Invalid frees causes heap corruption in gfxImageSurface (MFSA 2012-23)
bugzilla·2012-04-22·CVSS 10.0
CVE-2012-0470 [CRITICAL] CVE-2012-0470 Mozilla: Invalid frees causes heap corruption in gfxImageSurface (MFSA 2012-23)
CVE-2012-0470 Mozilla: Invalid frees causes heap corruption in gfxImageSurface (MFSA 2012-23)
Using the Address Sanitizer tool, security researcher Atte Kettunen from OUSPG found a heap corruption in gfxImageSurface which allows for invalid frees and possible remote code execution. This happens due to float error, resulting from graphics values being passed through different number systems.
Reference:
http://www.mozilla.org/security/announce/2012/mfsa2012-23.html
Discussion:
Acknowledgements:
Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Atte Kettunen from OUSPG as the original reporter.
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Via RHSA-2012:0516 https://rhn.redh
Bugzilla
CVE-2011-3062 Mozilla: Off-by-one error in OpenType Sanitizer (MFSA 2012-31)
bugzilla·2012-04-22·CVSS 6.8
CVE-2011-3062 [MEDIUM] CVE-2011-3062 Mozilla: Off-by-one error in OpenType Sanitizer (MFSA 2012-31)
CVE-2011-3062 Mozilla: Off-by-one error in OpenType Sanitizer (MFSA 2012-31)
Mateusz Jurczyk of the Google Security Team discovered an off-by-one error in the OpenType Sanitizer using the Address Sanitizer tool. This can lead to an out-of-bounds read and execution of an uninitialized function pointer during parsing and possible remote code execution.
Reference:
http://www.mozilla.org/security/announce/2012/mfsa2012-31.html
Discussion:
Acknowledgements:
Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Mateusz Jurczyk of the Google Security Team as the original reporter.
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Via RHSA-2012:0516 https://rhn.redhat.com/errata/RHSA-201
Bugzilla
CVE-2012-0469 Mozilla: use-after-free in IDBKeyRange (MFSA 2012-22)
bugzilla·2012-04-22·CVSS 10.0
CVE-2012-0469 [CRITICAL] CVE-2012-0469 Mozilla: use-after-free in IDBKeyRange (MFSA 2012-22)
CVE-2012-0469 Mozilla: use-after-free in IDBKeyRange (MFSA 2012-22)
Using the Address Sanitizer tool, security researcher Aki Helin from OUSPG found that IDBKeyRange of indexedDB remains in the XPConnect hashtable instead of being unlinked before being destroyed. When it is destroyed, this causes a use-after-free, which is potentially exploitable.
Reference:
http://www.mozilla.org/security/announce/2012/mfsa2012-22.html
Discussion:
Acknowledgements:
Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Aki Helin from OUSPG as the original reporter.
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Via RHSA-2012:0516 https://rhn.redhat.com/errata/RHSA-2012-0516.html
---
This iss
Bugzilla
CVE-2012-0473 Mozilla: WebGL.drawElements may read illegal video memory due to FindMaxUshortElement error (MFSA 2012-26)
bugzilla·2012-04-22·CVSS 5.0
CVE-2012-0473 [MEDIUM] CVE-2012-0473 Mozilla: WebGL.drawElements may read illegal video memory due to FindMaxUshortElement error (MFSA 2012-26)
CVE-2012-0473 Mozilla: WebGL.drawElements may read illegal video memory due to FindMaxUshortElement error (MFSA 2012-26)
Mozilla community member Matias Juntunen discovered an error in WebGLBuffer where FindMaxElementInSubArray receives wrong template arguments from FindMaxUshortElement. This bug causes maximum index to be computed incorrectly within WebGL.drawElements, allowing the reading of illegal video memory.
Reference:
http://www.mozilla.org/security/announce/2012/mfsa2012-26.html
Discussion:
Acknowledgements:
Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Matias Juntunen as the original reporter.
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Via RHSA-2012:0516
http://seclists.org/fulldisclosure/2020/May/31http://www.mandriva.com/security/advisories?name=MDVSA-2013:150http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.htmlhttp://www.securityfocus.com/bid/53133http://www.securitytracker.com/id?1026951http://seclists.org/fulldisclosure/2020/May/31http://www.mandriva.com/security/advisories?name=MDVSA-2013:150http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.htmlhttp://www.securityfocus.com/bid/53133http://www.securitytracker.com/id?1026951
2012-05-03
Published