Internet Information Server
by Microsoft
CVEs (154)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-1999-1544 | 0.01 | — | 0.14 | Jan 24, 1999 | Buffer overflow in FTP server in Microsoft IIS 3.0 and 4.0 allows local and sometimes remote attackers to cause a denial of service via a long NLST (ls) command. | |||
| CVE-1999-0007 | 0.01 | — | 0.08 | Jun 26, 1998 | Information from SSL-encrypted sessions via PKCS #1. | |||
| CVE-1999-0253 | 0.01 | — | 0.08 | Jan 1, 1997 | IIS 3.0 with the iis-fix hotfix installed allows remote intruders to read source code for ASP programs by using a %2e instead of a . (dot) in the URL. | |||
| CVE-2025-53805 | 0.00 | — | 0.01 | Sep 9, 2025 | Out-of-bounds read in Windows Internet Information Services allows an unauthorized attacker to deny service over a network. | |||
| CVE-2012-2531 | 0.00 | — | 0.01 | Nov 14, 2012 | Microsoft Internet Information Services (IIS) 7.5 uses weak permissions for the Operational log, which allows local users to discover credentials by reading this file, aka "Password Disclosure Vulnerability." | |||
| CVE-2008-0074 | 0.00 | — | 0.05 | Feb 12, 2008 | Unspecified vulnerability in Microsoft Internet Information Services (IIS) 5.0 through 7.0 allows local users to gain privileges via unknown vectors related to file change notifications in the TPRoot, NNTPFile\Root, or WWWRoot folders. | |||
| CVE-2006-6579 | 0.00 | — | 0.01 | Dec 15, 2006 | Microsoft Windows XP has weak permissions (FILE_WRITE_DATA and FILE_READ_DATA for Everyone) for %WINDIR%\pchealth\ERRORREP\QHEADLES, which allows local users to write and read files in this folder, as demonstrated by an ASP shell that has write access by IWAM_machine and read… | |||
| CVE-2004-0205 | 0.00 | — | 0.24 | Aug 6, 2004 | Buffer overflow in Microsoft Internet Information Server (IIS) 4.0 allows local users to execute arbitrary code via the redirect function. | |||
| CVE-2001-0544 | 0.00 | — | 0.02 | Oct 30, 2001 | IIS 5.0 allows local users to cause a denial of service (hang) via by installing content that produces a certain invalid MIME Content-Type header, which corrupts the File Type table. | |||
| CVE-2001-0337 | 0.00 | — | 0.05 | Jun 27, 2001 | The Microsoft MS01-014 and MS01-016 patches for IIS 5.0 and earlier introduce a memory leak which allows attackers to cause a denial of service via a series of requests. | |||
| CVE-1999-1233 | 0.00 | — | 0.05 | Dec 31, 1999 | IIS 4.0 does not properly restrict access for the initial session request from a user's IP address if the address does not resolve to a DNS domain, aka the "Domain Resolution" vulnerability. | |||
| CVE-1999-0861 | 0.00 | — | 0.03 | Aug 11, 1999 | Race condition in the SSL ISAPI filter in IIS and other servers may leak information in plaintext. | |||
| CVE-1999-0229 | 0.00 | — | 0.06 | May 12, 1999 | Denial of service in Windows NT IIS server using ..\.. | |||
| CVE-1999-0407 | 0.00 | — | 0.05 | Feb 9, 1999 | By default, IIS 4.0 has a virtual directory /IISADMPWD which contains files that can be used as proxies for brute force password attacks, or to identify valid users on the system. |
- CVE-1999-1544Jan 24, 1999risk 0.01cvss —epss 0.14
Buffer overflow in FTP server in Microsoft IIS 3.0 and 4.0 allows local and sometimes remote attackers to cause a denial of service via a long NLST (ls) command.
- CVE-1999-0007Jun 26, 1998risk 0.01cvss —epss 0.08
Information from SSL-encrypted sessions via PKCS #1.
- CVE-1999-0253Jan 1, 1997risk 0.01cvss —epss 0.08
IIS 3.0 with the iis-fix hotfix installed allows remote intruders to read source code for ASP programs by using a %2e instead of a . (dot) in the URL.
- CVE-2025-53805Sep 9, 2025risk 0.00cvss —epss 0.01
Out-of-bounds read in Windows Internet Information Services allows an unauthorized attacker to deny service over a network.
- CVE-2012-2531Nov 14, 2012risk 0.00cvss —epss 0.01
Microsoft Internet Information Services (IIS) 7.5 uses weak permissions for the Operational log, which allows local users to discover credentials by reading this file, aka "Password Disclosure Vulnerability."
- CVE-2008-0074Feb 12, 2008risk 0.00cvss —epss 0.05
Unspecified vulnerability in Microsoft Internet Information Services (IIS) 5.0 through 7.0 allows local users to gain privileges via unknown vectors related to file change notifications in the TPRoot, NNTPFile\Root, or WWWRoot folders.
- CVE-2006-6579Dec 15, 2006risk 0.00cvss —epss 0.01
Microsoft Windows XP has weak permissions (FILE_WRITE_DATA and FILE_READ_DATA for Everyone) for %WINDIR%\pchealth\ERRORREP\QHEADLES, which allows local users to write and read files in this folder, as demonstrated by an ASP shell that has write access by IWAM_machine and read…
- CVE-2004-0205Aug 6, 2004risk 0.00cvss —epss 0.24
Buffer overflow in Microsoft Internet Information Server (IIS) 4.0 allows local users to execute arbitrary code via the redirect function.
- CVE-2001-0544Oct 30, 2001risk 0.00cvss —epss 0.02
IIS 5.0 allows local users to cause a denial of service (hang) via by installing content that produces a certain invalid MIME Content-Type header, which corrupts the File Type table.
- CVE-2001-0337Jun 27, 2001risk 0.00cvss —epss 0.05
The Microsoft MS01-014 and MS01-016 patches for IIS 5.0 and earlier introduce a memory leak which allows attackers to cause a denial of service via a series of requests.
- CVE-1999-1233Dec 31, 1999risk 0.00cvss —epss 0.05
IIS 4.0 does not properly restrict access for the initial session request from a user's IP address if the address does not resolve to a DNS domain, aka the "Domain Resolution" vulnerability.
- CVE-1999-0861Aug 11, 1999risk 0.00cvss —epss 0.03
Race condition in the SSL ISAPI filter in IIS and other servers may leak information in plaintext.
- CVE-1999-0229May 12, 1999risk 0.00cvss —epss 0.06
Denial of service in Windows NT IIS server using ..\..
- CVE-1999-0407Feb 9, 1999risk 0.00cvss —epss 0.05
By default, IIS 4.0 has a virtual directory /IISADMPWD which contains files that can be used as proxies for brute force password attacks, or to identify valid users on the system.
Page 8 of 8