Internet Information Server
by Microsoft
CVEs (154)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2000-0631 | 0.02 | — | 0.25 | Jul 14, 2000 | An administrative script from IIS 3.0, later included in IIS 4.0 and 5.0, allows remote attackers to cause a denial of service by accessing the script without a particular argument, aka the "Absent Directory Browser Argument" vulnerability. | |||
| CVE-2000-0304 | 0.02 | — | 0.29 | May 10, 2000 | Microsoft IIS 4.0 and 5.0 with the IISADMPWD virtual directory installed allows a remote attacker to cause a denial of service via a malformed request to the inetinfo.exe program, aka the "Undelimited .HTR Request" vulnerability. | |||
| CVE-2000-0071 | 0.02 | — | 0.28 | Jan 11, 2000 | IIS 4.0 allows a remote attacker to obtain the real pathname of the document root by requesting non-existent files with .ida or .idq extensions. | |||
| CVE-1999-0738 | 0.02 | — | 0.29 | May 7, 1999 | The code.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. | |||
| CVE-1999-0737 | 0.02 | — | 0.28 | May 7, 1999 | The viewcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. | |||
| CVE-1999-0739 | 0.02 | — | 0.29 | May 7, 1999 | The codebrws.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. | |||
| CVE-1999-1376 | 0.02 | — | 0.24 | Jan 14, 1999 | Buffer overflow in fpcount.exe in IIS 4.0 with FrontPage Server Extensions allows remote attackers to execute arbitrary commands. | |||
| CVE-2014-4078 | 0.01 | — | 0.18 | Nov 11, 2014 | The IP Security feature in Microsoft Internet Information Services (IIS) 8.0 and 8.5 does not properly process wildcard allow and deny rules for domains within the "IP Address and Domain Restrictions" list, which makes it easier for remote attackers to bypass an intended rule… | |||
| CVE-2003-1582 | 0.01 | — | 0.10 | Feb 5, 2010 | Microsoft Internet Information Services (IIS) 6.0, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files via an HTTP request in conjunction with a crafted DNS response, as demonstrated by injecting XSS sequences,… | |||
| CVE-2009-4445 | 0.01 | — | 0.13 | Dec 29, 2009 | Microsoft Internet Information Services (IIS), when used in conjunction with unspecified third-party upload applications, allows remote attackers to create empty files with arbitrary extensions via a filename containing an initial extension followed by a : (colon) and a safe… | |||
| CVE-2008-4301 | 0.01 | — | 0.17 | Sep 29, 2008 | A certain ActiveX control in iisext.dll in Microsoft Internet Information Services (IIS) allows remote attackers to set a password via a string argument to the SetPassword method. NOTE: this issue could not be reproduced by a reliable third party. In addition, the original… | |||
| CVE-2008-4300 | 0.01 | — | 0.14 | Sep 29, 2008 | A certain ActiveX control in adsiis.dll in Microsoft Internet Information Services (IIS) allows remote attackers to cause a denial of service (browser crash) via a long string in the second argument to the GetObject method. NOTE: this issue was disclosed by an unreliable… | |||
| CVE-2006-6578 | 0.01 | — | 0.07 | Dec 15, 2006 | Microsoft Internet Information Services (IIS) 5.1 permits the IUSR_Machine account to execute non-EXE files such as .COM files, which allows attackers to execute arbitrary commands via arguments to any .COM file that executes those arguments, as demonstrated using win.com when… | |||
| CVE-2003-0224 | 0.01 | — | 0.18 | Jun 9, 2003 | Buffer overflow in ssinc.dll for Microsoft Internet Information Services (IIS) 5.0 allows local users to execute arbitrary code via a web page with a Server Side Include (SSI) directive with a long filename, aka "Server Side Include Web Pages Buffer Overrun." | |||
| CVE-2003-0223 | 0.01 | — | 0.17 | Jun 9, 2003 | Cross-site scripting vulnerability (XSS) in the ASP function responsible for redirection in Microsoft Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to embed a URL containing script in a redirection message. | |||
| CVE-2002-1695 | 0.01 | — | 0.14 | Dec 31, 2002 | Norton Internet Security 2001 opens log files with FILE_SHARE_READ and FILE_SHARE_WRITE permissions, which could allow remote attackers to modify the log file contents while Norton Internet Security is running. | |||
| CVE-2002-1694 | 0.01 | — | 0.13 | Dec 31, 2002 | Microsoft Internet Information Server (IIS) 4.0 opens log files with FILE_SHARE_READ and FILE_SHARE_WRITE permissions, which could allow remote attackers to modify the log file contents while IIS is running. | |||
| CVE-2002-1718 | 0.01 | — | 0.14 | Dec 31, 2002 | Microsoft Internet Information Server (IIS) 5.1 may allow remote attackers to view the contents of a Frontpage Server Extension (FPSE) file, as claimed using an HTTP request for colegal.htm that contains .. (dot dot) sequences. | |||
| CVE-2002-1717 | 0.01 | — | 0.16 | Dec 31, 2002 | Microsoft Internet Information Server (IIS) 5.1 allows remote attackers to view path information via a GET request to (1) /_vti_pvt/access.cnf, (2) /_vti_pvt/botinfs.cnf, (3) /_vti_pvt/bots.cnf, or (4) /_vti_pvt/linkinfo.cnf. | |||
| CVE-2002-1908 | 0.01 | — | 0.14 | Dec 31, 2002 | Microsoft IIS 5.0 and 5.1 allows remote attackers to cause a denial of service (CPU consumption) via an HTTP request with a Host header that contains a large number of "/" (forward slash) characters. |
- CVE-2000-0631Jul 14, 2000risk 0.02cvss —epss 0.25
An administrative script from IIS 3.0, later included in IIS 4.0 and 5.0, allows remote attackers to cause a denial of service by accessing the script without a particular argument, aka the "Absent Directory Browser Argument" vulnerability.
- CVE-2000-0304May 10, 2000risk 0.02cvss —epss 0.29
Microsoft IIS 4.0 and 5.0 with the IISADMPWD virtual directory installed allows a remote attacker to cause a denial of service via a malformed request to the inetinfo.exe program, aka the "Undelimited .HTR Request" vulnerability.
- CVE-2000-0071Jan 11, 2000risk 0.02cvss —epss 0.28
IIS 4.0 allows a remote attacker to obtain the real pathname of the document root by requesting non-existent files with .ida or .idq extensions.
- CVE-1999-0738May 7, 1999risk 0.02cvss —epss 0.29
The code.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.
- CVE-1999-0737May 7, 1999risk 0.02cvss —epss 0.28
The viewcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.
- CVE-1999-0739May 7, 1999risk 0.02cvss —epss 0.29
The codebrws.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.
- CVE-1999-1376Jan 14, 1999risk 0.02cvss —epss 0.24
Buffer overflow in fpcount.exe in IIS 4.0 with FrontPage Server Extensions allows remote attackers to execute arbitrary commands.
- CVE-2014-4078Nov 11, 2014risk 0.01cvss —epss 0.18
The IP Security feature in Microsoft Internet Information Services (IIS) 8.0 and 8.5 does not properly process wildcard allow and deny rules for domains within the "IP Address and Domain Restrictions" list, which makes it easier for remote attackers to bypass an intended rule…
- CVE-2003-1582Feb 5, 2010risk 0.01cvss —epss 0.10
Microsoft Internet Information Services (IIS) 6.0, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files via an HTTP request in conjunction with a crafted DNS response, as demonstrated by injecting XSS sequences,…
- CVE-2009-4445Dec 29, 2009risk 0.01cvss —epss 0.13
Microsoft Internet Information Services (IIS), when used in conjunction with unspecified third-party upload applications, allows remote attackers to create empty files with arbitrary extensions via a filename containing an initial extension followed by a : (colon) and a safe…
- CVE-2008-4301Sep 29, 2008risk 0.01cvss —epss 0.17
A certain ActiveX control in iisext.dll in Microsoft Internet Information Services (IIS) allows remote attackers to set a password via a string argument to the SetPassword method. NOTE: this issue could not be reproduced by a reliable third party. In addition, the original…
- CVE-2008-4300Sep 29, 2008risk 0.01cvss —epss 0.14
A certain ActiveX control in adsiis.dll in Microsoft Internet Information Services (IIS) allows remote attackers to cause a denial of service (browser crash) via a long string in the second argument to the GetObject method. NOTE: this issue was disclosed by an unreliable…
- CVE-2006-6578Dec 15, 2006risk 0.01cvss —epss 0.07
Microsoft Internet Information Services (IIS) 5.1 permits the IUSR_Machine account to execute non-EXE files such as .COM files, which allows attackers to execute arbitrary commands via arguments to any .COM file that executes those arguments, as demonstrated using win.com when…
- CVE-2003-0224Jun 9, 2003risk 0.01cvss —epss 0.18
Buffer overflow in ssinc.dll for Microsoft Internet Information Services (IIS) 5.0 allows local users to execute arbitrary code via a web page with a Server Side Include (SSI) directive with a long filename, aka "Server Side Include Web Pages Buffer Overrun."
- CVE-2003-0223Jun 9, 2003risk 0.01cvss —epss 0.17
Cross-site scripting vulnerability (XSS) in the ASP function responsible for redirection in Microsoft Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to embed a URL containing script in a redirection message.
- CVE-2002-1695Dec 31, 2002risk 0.01cvss —epss 0.14
Norton Internet Security 2001 opens log files with FILE_SHARE_READ and FILE_SHARE_WRITE permissions, which could allow remote attackers to modify the log file contents while Norton Internet Security is running.
- CVE-2002-1694Dec 31, 2002risk 0.01cvss —epss 0.13
Microsoft Internet Information Server (IIS) 4.0 opens log files with FILE_SHARE_READ and FILE_SHARE_WRITE permissions, which could allow remote attackers to modify the log file contents while IIS is running.
- CVE-2002-1718Dec 31, 2002risk 0.01cvss —epss 0.14
Microsoft Internet Information Server (IIS) 5.1 may allow remote attackers to view the contents of a Frontpage Server Extension (FPSE) file, as claimed using an HTTP request for colegal.htm that contains .. (dot dot) sequences.
- CVE-2002-1717Dec 31, 2002risk 0.01cvss —epss 0.16
Microsoft Internet Information Server (IIS) 5.1 allows remote attackers to view path information via a GET request to (1) /_vti_pvt/access.cnf, (2) /_vti_pvt/botinfs.cnf, (3) /_vti_pvt/bots.cnf, or (4) /_vti_pvt/linkinfo.cnf.
- CVE-2002-1908Dec 31, 2002risk 0.01cvss —epss 0.14
Microsoft IIS 5.0 and 5.1 allows remote attackers to cause a denial of service (CPU consumption) via an HTTP request with a Host header that contains a large number of "/" (forward slash) characters.
Page 6 of 8