Internet Information Server
by Microsoft
CVEs (154)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2000-0126 | 0.07 | — | 0.46 | Jan 26, 2000 | Sample Internet Data Query (IDQ) scripts in IIS 3 and 4 allow remote attackers to read files via a .. (dot dot) attack. | |||
| CVE-1999-0736 | 0.07 | — | 0.45 | May 7, 1999 | The showcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. | |||
| CVE-1999-0191 | 0.07 | — | 0.53 | Sep 1, 1997 | IIS newdsn.exe CGI script allows remote users to overwrite files. | |||
| CVE-2007-2897 | 0.06 | — | 0.74 | May 30, 2007 | Microsoft Internet Information Services (IIS) 6.0 allows remote attackers to cause a denial of service (server instability or device hang), and possibly obtain sensitive information (device communication traffic); and might allow attackers with physical access to execute… | |||
| CVE-2003-0227 | 0.06 | — | 0.39 | Jun 9, 2003 | The logging capability for unicast and multicast transmissions in the ISAPI extension for Microsoft Windows Media Services in Microsoft Windows NT 4.0 and 2000, nsiislog.dll, allows remote attackers to cause a denial of service in Internet Information Server (IIS) and execute… | |||
| CVE-2003-0226 | 0.06 | — | 0.43 | Jun 9, 2003 | Microsoft Internet Information Services (IIS) 5.0 and 5.1 allows remote attackers to cause a denial of service via a long WebDAV request with a (1) PROPFIND or (2) SEARCH method, which generates an error condition that is not properly handled. | |||
| CVE-2002-1790 | 0.06 | — | 0.34 | Dec 31, 2002 | The SMTP service in Microsoft Internet Information Services (IIS) 4.0 and 5.0 allows remote attackers to bypass anti-relaying rules and send spam or spoofed messages via encapsulated SMTP addresses, a similar vulnerability to CVE-1999-0682. | |||
| CVE-2002-0419 | 0.06 | — | 0.36 | Aug 12, 2002 | Information leaks in IIS 4 through 5.1 allow remote attackers to obtain potentially sensitive information or more easily conduct brute force attacks via responses from the server in which (2) in certain configurations, the server IP address is provided as the realm for Basic… | |||
| CVE-2001-1186 | 0.06 | — | 0.31 | Dec 11, 2001 | Microsoft IIS 5.0 allows remote attackers to cause a denial of service via an HTTP request with a content-length value that is larger than the size of the request, which prevents IIS from timing out the connection. | |||
| CVE-1999-0154 | 0.06 | — | 0.40 | Dec 31, 1999 | IIS 2.0 and 3.0 allows remote attackers to read the source code for ASP pages by appending a . (dot) to the end of the URL. | |||
| CVE-2010-2731 | 0.05 | — | 0.31 | Sep 15, 2010 | Unspecified vulnerability in Microsoft Internet Information Services (IIS) 5.1 on Windows XP SP3, when directory-based Basic Authentication is enabled, allows remote attackers to bypass intended access restrictions and execute ASP files via a crafted request, aka "Directory… | |||
| CVE-2009-4444 | 0.05 | — | 0.64 | Dec 29, 2009 | Microsoft Internet Information Services (IIS) 5.x and 6.x uses only the portion of a filename before a ; (semicolon) character to determine the file extension, which allows remote attackers to bypass intended extension restrictions of third-party upload applications via a… | |||
| CVE-2003-1566 | 0.05 | — | 0.28 | Jan 15, 2009 | Microsoft Internet Information Services (IIS) 5.0 does not log requests that use the TRACK method, which allows remote attackers to obtain sensitive information without detection. | |||
| CVE-2008-0075 | 0.05 | — | 0.57 | Feb 12, 2008 | Unspecified vulnerability in Microsoft Internet Information Services (IIS) 5.1 through 6.0 allows remote attackers to execute arbitrary code via crafted inputs to ASP pages. | |||
| CVE-2002-1700 | 0.05 | — | 0.24 | Dec 31, 2002 | Cross-site scripting vulnerability (XSS) in the missing template handler in Macromedia ColdFusion MX allows remote attackers to execute arbitrary script as other users by injecting script into the HTTP request for the name of a template, which is not filtered in the resulting… | |||
| CVE-2002-0073 | 0.05 | — | 0.56 | Apr 22, 2002 | The FTP service in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows attackers who have established an FTP session to cause a denial of service via a specially crafted status request containing glob characters. | |||
| CVE-2002-0149 | 0.05 | — | 0.63 | Apr 22, 2002 | Buffer overflow in ASP Server-Side Include Function in IIS 4.0, 5.0 and 5.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via long file names. | |||
| CVE-2002-0072 | 0.05 | — | 0.57 | Apr 22, 2002 | The w3svc.dll ISAPI filter in Front Page Server Extensions and ASP.NET for Internet Information Server (IIS) 4.0, 5.0, and 5.1 does not properly handle the error condition when a long URL is provided, which allows remote attackers to cause a denial of service (crash) when the… | |||
| CVE-2002-0147 | 0.05 | — | 0.62 | Apr 22, 2002 | Buffer overflow in the ASP data transfer mechanism in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to cause a denial of service or execute code, aka "Microsoft-discovered variant of Chunked Encoding buffer overrun." | |||
| CVE-1999-0725 | 0.05 | — | 0.25 | Aug 19, 1999 | When IIS is run with a default language of Chinese, Korean, or Japanese, it allows a remote attacker to view the source code of certain files, a.k.a. "Double Byte Code Page". |
- CVE-2000-0126Jan 26, 2000risk 0.07cvss —epss 0.46
Sample Internet Data Query (IDQ) scripts in IIS 3 and 4 allow remote attackers to read files via a .. (dot dot) attack.
- CVE-1999-0736May 7, 1999risk 0.07cvss —epss 0.45
The showcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.
- CVE-1999-0191Sep 1, 1997risk 0.07cvss —epss 0.53
IIS newdsn.exe CGI script allows remote users to overwrite files.
- CVE-2007-2897May 30, 2007risk 0.06cvss —epss 0.74
Microsoft Internet Information Services (IIS) 6.0 allows remote attackers to cause a denial of service (server instability or device hang), and possibly obtain sensitive information (device communication traffic); and might allow attackers with physical access to execute…
- CVE-2003-0227Jun 9, 2003risk 0.06cvss —epss 0.39
The logging capability for unicast and multicast transmissions in the ISAPI extension for Microsoft Windows Media Services in Microsoft Windows NT 4.0 and 2000, nsiislog.dll, allows remote attackers to cause a denial of service in Internet Information Server (IIS) and execute…
- CVE-2003-0226Jun 9, 2003risk 0.06cvss —epss 0.43
Microsoft Internet Information Services (IIS) 5.0 and 5.1 allows remote attackers to cause a denial of service via a long WebDAV request with a (1) PROPFIND or (2) SEARCH method, which generates an error condition that is not properly handled.
- CVE-2002-1790Dec 31, 2002risk 0.06cvss —epss 0.34
The SMTP service in Microsoft Internet Information Services (IIS) 4.0 and 5.0 allows remote attackers to bypass anti-relaying rules and send spam or spoofed messages via encapsulated SMTP addresses, a similar vulnerability to CVE-1999-0682.
- CVE-2002-0419Aug 12, 2002risk 0.06cvss —epss 0.36
Information leaks in IIS 4 through 5.1 allow remote attackers to obtain potentially sensitive information or more easily conduct brute force attacks via responses from the server in which (2) in certain configurations, the server IP address is provided as the realm for Basic…
- CVE-2001-1186Dec 11, 2001risk 0.06cvss —epss 0.31
Microsoft IIS 5.0 allows remote attackers to cause a denial of service via an HTTP request with a content-length value that is larger than the size of the request, which prevents IIS from timing out the connection.
- CVE-1999-0154Dec 31, 1999risk 0.06cvss —epss 0.40
IIS 2.0 and 3.0 allows remote attackers to read the source code for ASP pages by appending a . (dot) to the end of the URL.
- CVE-2010-2731Sep 15, 2010risk 0.05cvss —epss 0.31
Unspecified vulnerability in Microsoft Internet Information Services (IIS) 5.1 on Windows XP SP3, when directory-based Basic Authentication is enabled, allows remote attackers to bypass intended access restrictions and execute ASP files via a crafted request, aka "Directory…
- CVE-2009-4444Dec 29, 2009risk 0.05cvss —epss 0.64
Microsoft Internet Information Services (IIS) 5.x and 6.x uses only the portion of a filename before a ; (semicolon) character to determine the file extension, which allows remote attackers to bypass intended extension restrictions of third-party upload applications via a…
- CVE-2003-1566Jan 15, 2009risk 0.05cvss —epss 0.28
Microsoft Internet Information Services (IIS) 5.0 does not log requests that use the TRACK method, which allows remote attackers to obtain sensitive information without detection.
- CVE-2008-0075Feb 12, 2008risk 0.05cvss —epss 0.57
Unspecified vulnerability in Microsoft Internet Information Services (IIS) 5.1 through 6.0 allows remote attackers to execute arbitrary code via crafted inputs to ASP pages.
- CVE-2002-1700Dec 31, 2002risk 0.05cvss —epss 0.24
Cross-site scripting vulnerability (XSS) in the missing template handler in Macromedia ColdFusion MX allows remote attackers to execute arbitrary script as other users by injecting script into the HTTP request for the name of a template, which is not filtered in the resulting…
- CVE-2002-0073Apr 22, 2002risk 0.05cvss —epss 0.56
The FTP service in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows attackers who have established an FTP session to cause a denial of service via a specially crafted status request containing glob characters.
- CVE-2002-0149Apr 22, 2002risk 0.05cvss —epss 0.63
Buffer overflow in ASP Server-Side Include Function in IIS 4.0, 5.0 and 5.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via long file names.
- CVE-2002-0072Apr 22, 2002risk 0.05cvss —epss 0.57
The w3svc.dll ISAPI filter in Front Page Server Extensions and ASP.NET for Internet Information Server (IIS) 4.0, 5.0, and 5.1 does not properly handle the error condition when a long URL is provided, which allows remote attackers to cause a denial of service (crash) when the…
- CVE-2002-0147Apr 22, 2002risk 0.05cvss —epss 0.62
Buffer overflow in the ASP data transfer mechanism in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to cause a denial of service or execute code, aka "Microsoft-discovered variant of Chunked Encoding buffer overrun."
- CVE-1999-0725Aug 19, 1999risk 0.05cvss —epss 0.25
When IIS is run with a default language of Chinese, Korean, or Japanese, it allows a remote attacker to view the source code of certain files, a.k.a. "Double Byte Code Page".
Page 3 of 8