A set of vulnerabilities impacting Oracle’s iPlanet Web Server has been disclosed by researchers.
Tracked as CVE-2020-9315 and CVE-2020-9314, the security flaws allow for sensitive data exposure and limited injection attacks.
First discovered by Nightwatch Cybersecurity researchers on January 19, 2020, the issues were found in the web administration console of the enterprise server management system.
CVE-2020-9315 permits the read of any page within the console, without authentication, by simply replacing an admin GUI URL for the target page. The researchers say that this bug could result in the leak of sensitive data, including configuration information and encryption keys.