Internet Information Server
by Microsoft
CVEs (154)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2002-1180 | 0.01 | — | 0.09 | Nov 12, 2002 | A typographical error in the script source access permissions for Internet Information Server (IIS) 5.0 does not properly exclude .COM files, which allows attackers with only write permissions to upload malicious .COM files, aka "Script Source Access Vulnerability." | |||
| CVE-2001-0902 | 0.01 | — | 0.17 | Nov 20, 2001 | Microsoft IIS 5.0 allows remote attackers to spoof web log entries via an HTTP request that includes hex-encoded newline or form-feed characters. | |||
| CVE-2001-0545 | 0.01 | — | 0.18 | Oct 30, 2001 | IIS 4.0 with URL redirection enabled allows remote attackers to cause a denial of service (crash) via a malformed request that specifies a length that is different than the actual length. | |||
| CVE-2000-1090 | 0.01 | — | 0.17 | Feb 12, 2001 | Microsoft IIS for Far East editions 4.0 and 5.0 allows remote attackers to read source code for parsed pages via a malformed URL that uses the lead-byte of a double-byte character. | |||
| CVE-2000-1104 | 0.01 | — | 0.07 | Jan 9, 2001 | Variant of the "IIS Cross-Site Scripting" vulnerability as originally discussed in MS:MS00-060 (CVE-2000-0746) allows a malicious web site operator to embed scripts in a link to a trusted site, which are returned without quoting in an error message back to the client. The… | |||
| CVE-2000-0746 | 0.01 | — | 0.09 | Oct 20, 2000 | Vulnerabilities in IIS 4.0 and 5.0 do not properly protect against cross-site scripting (CSS) attacks. They allow a malicious web site operator to embed scripts in a link to a trusted site, which are returned without quoting in an error message back to the client. The client… | |||
| CVE-2000-0770 | 0.01 | — | 0.15 | Oct 20, 2000 | IIS 4.0 and 5.0 does not properly restrict access to certain types of files when their parent folders have less restrictive permissions, which could allow remote attackers to bypass access restrictions to some files, aka the "File Permission Canonicalization" vulnerability. | |||
| CVE-2000-0226 | 0.01 | — | 0.07 | Mar 20, 2000 | IIS 4.0 allows attackers to cause a denial of service by requesting a large buffer in a POST or PUT command which consumes memory, aka the "Chunked Transfer Encoding Buffer Overflow Vulnerability." | |||
| CVE-2000-0115 | 0.01 | — | 0.10 | Jan 21, 2000 | IIS allows local users to cause a denial of service via invalid regular expressions in a Visual Basic script in an ASP page. | |||
| CVE-1999-1451 | 0.01 | — | 0.18 | Dec 31, 1999 | The Winmsdp.exe sample file in IIS 4.0 and Site Server 3.0 allows remote attackers to read arbitrary files. | |||
| CVE-1999-1148 | 0.01 | — | 0.17 | Dec 31, 1999 | FTP service in IIS 4.0 and earlier allows remote attackers to cause a denial of service (resource exhaustion) via many passive (PASV) connections at the same time. | |||
| CVE-1999-1035 | 0.01 | — | 0.17 | Dec 31, 1999 | IIS 3.0 and 4.0 on x86 and Alpha allows remote attackers to cause a denial of service (hang) via a malformed GET request, aka the IIS "GET" vulnerability. | |||
| CVE-1999-1591 | 0.01 | — | 0.11 | Dec 31, 1999 | Microsoft Internet Information Services (IIS) server 4.0 SP4, without certain hotfixes released for SP4, does not require authentication credentials under certain conditions, which allows remote attackers to bypass authentication requirements, as demonstrated by connecting via… | |||
| CVE-1999-1223 | 0.01 | — | 0.23 | Dec 31, 1999 | IIS 3.0 allows remote attackers to cause a denial of service via a request to an ASP page in which the URL contains a large number of / (forward slash) characters. | |||
| CVE-2000-0024 | 0.01 | — | 0.12 | Dec 21, 1999 | IIS does not properly canonicalize URLs, potentially allowing remote attackers to bypass access restrictions in third-party software via escape characters, aka the "Escape Character Parsing" vulnerability. | |||
| CVE-1999-0777 | 0.01 | — | 0.12 | Sep 23, 1999 | IIS FTP servers may allow a remote attacker to read or delete files on the server, even if they have "No Access" permissions. | |||
| CVE-1999-1537 | 0.01 | — | 0.09 | Jul 7, 1999 | IIS 3.x and 4.x does not distinguish between pages requiring encryption and those that do not, which allows remote attackers to cause a denial of service (resource exhaustion) via SSL requests to the HTTPS port for normally unencrypted files, which will cause IIS to perform… | |||
| CVE-1999-1478 | 0.01 | — | 0.18 | Jul 6, 1999 | The Sun HotSpot Performance Engine VM allows a remote attacker to cause a denial of service on any server running HotSpot via a URL that includes the [ character. | |||
| CVE-1999-0349 | 0.01 | — | 0.18 | Jan 27, 1999 | A buffer overflow in the FTP list (ls) command in IIS allows remote attackers to conduct a denial of service and, in some cases, execute arbitrary commands. | |||
| CVE-1999-0348 | 0.01 | — | 0.11 | Jan 27, 1999 | IIS ASP caching problem releases sensitive information when two virtual servers share the same physical directory. |
- CVE-2002-1180Nov 12, 2002risk 0.01cvss —epss 0.09
A typographical error in the script source access permissions for Internet Information Server (IIS) 5.0 does not properly exclude .COM files, which allows attackers with only write permissions to upload malicious .COM files, aka "Script Source Access Vulnerability."
- CVE-2001-0902Nov 20, 2001risk 0.01cvss —epss 0.17
Microsoft IIS 5.0 allows remote attackers to spoof web log entries via an HTTP request that includes hex-encoded newline or form-feed characters.
- CVE-2001-0545Oct 30, 2001risk 0.01cvss —epss 0.18
IIS 4.0 with URL redirection enabled allows remote attackers to cause a denial of service (crash) via a malformed request that specifies a length that is different than the actual length.
- CVE-2000-1090Feb 12, 2001risk 0.01cvss —epss 0.17
Microsoft IIS for Far East editions 4.0 and 5.0 allows remote attackers to read source code for parsed pages via a malformed URL that uses the lead-byte of a double-byte character.
- CVE-2000-1104Jan 9, 2001risk 0.01cvss —epss 0.07
Variant of the "IIS Cross-Site Scripting" vulnerability as originally discussed in MS:MS00-060 (CVE-2000-0746) allows a malicious web site operator to embed scripts in a link to a trusted site, which are returned without quoting in an error message back to the client. The…
- CVE-2000-0746Oct 20, 2000risk 0.01cvss —epss 0.09
Vulnerabilities in IIS 4.0 and 5.0 do not properly protect against cross-site scripting (CSS) attacks. They allow a malicious web site operator to embed scripts in a link to a trusted site, which are returned without quoting in an error message back to the client. The client…
- CVE-2000-0770Oct 20, 2000risk 0.01cvss —epss 0.15
IIS 4.0 and 5.0 does not properly restrict access to certain types of files when their parent folders have less restrictive permissions, which could allow remote attackers to bypass access restrictions to some files, aka the "File Permission Canonicalization" vulnerability.
- CVE-2000-0226Mar 20, 2000risk 0.01cvss —epss 0.07
IIS 4.0 allows attackers to cause a denial of service by requesting a large buffer in a POST or PUT command which consumes memory, aka the "Chunked Transfer Encoding Buffer Overflow Vulnerability."
- CVE-2000-0115Jan 21, 2000risk 0.01cvss —epss 0.10
IIS allows local users to cause a denial of service via invalid regular expressions in a Visual Basic script in an ASP page.
- CVE-1999-1451Dec 31, 1999risk 0.01cvss —epss 0.18
The Winmsdp.exe sample file in IIS 4.0 and Site Server 3.0 allows remote attackers to read arbitrary files.
- CVE-1999-1148Dec 31, 1999risk 0.01cvss —epss 0.17
FTP service in IIS 4.0 and earlier allows remote attackers to cause a denial of service (resource exhaustion) via many passive (PASV) connections at the same time.
- CVE-1999-1035Dec 31, 1999risk 0.01cvss —epss 0.17
IIS 3.0 and 4.0 on x86 and Alpha allows remote attackers to cause a denial of service (hang) via a malformed GET request, aka the IIS "GET" vulnerability.
- CVE-1999-1591Dec 31, 1999risk 0.01cvss —epss 0.11
Microsoft Internet Information Services (IIS) server 4.0 SP4, without certain hotfixes released for SP4, does not require authentication credentials under certain conditions, which allows remote attackers to bypass authentication requirements, as demonstrated by connecting via…
- CVE-1999-1223Dec 31, 1999risk 0.01cvss —epss 0.23
IIS 3.0 allows remote attackers to cause a denial of service via a request to an ASP page in which the URL contains a large number of / (forward slash) characters.
- CVE-2000-0024Dec 21, 1999risk 0.01cvss —epss 0.12
IIS does not properly canonicalize URLs, potentially allowing remote attackers to bypass access restrictions in third-party software via escape characters, aka the "Escape Character Parsing" vulnerability.
- CVE-1999-0777Sep 23, 1999risk 0.01cvss —epss 0.12
IIS FTP servers may allow a remote attacker to read or delete files on the server, even if they have "No Access" permissions.
- CVE-1999-1537Jul 7, 1999risk 0.01cvss —epss 0.09
IIS 3.x and 4.x does not distinguish between pages requiring encryption and those that do not, which allows remote attackers to cause a denial of service (resource exhaustion) via SSL requests to the HTTPS port for normally unencrypted files, which will cause IIS to perform…
- CVE-1999-1478Jul 6, 1999risk 0.01cvss —epss 0.18
The Sun HotSpot Performance Engine VM allows a remote attacker to cause a denial of service on any server running HotSpot via a URL that includes the [ character.
- CVE-1999-0349Jan 27, 1999risk 0.01cvss —epss 0.18
A buffer overflow in the FTP list (ls) command in IIS allows remote attackers to conduct a denial of service and, in some cases, execute arbitrary commands.
- CVE-1999-0348Jan 27, 1999risk 0.01cvss —epss 0.11
IIS ASP caching problem releases sensitive information when two virtual servers share the same physical directory.
Page 7 of 8