VYPR

IIS

by Microsoft

CVEs (64)

  • CVE-2000-0631Jul 14, 2000
    risk 0.02cvss epss 0.25

    An administrative script from IIS 3.0, later included in IIS 4.0 and 5.0, allows remote attackers to cause a denial of service by accessing the script without a particular argument, aka the "Absent Directory Browser Argument" vulnerability.

  • CVE-2000-0304May 10, 2000
    risk 0.02cvss epss 0.29

    Microsoft IIS 4.0 and 5.0 with the IISADMPWD virtual directory installed allows a remote attacker to cause a denial of service via a malformed request to the inetinfo.exe program, aka the "Undelimited .HTR Request" vulnerability.

  • CVE-2000-0071Jan 11, 2000
    risk 0.02cvss epss 0.28

    IIS 4.0 allows a remote attacker to obtain the real pathname of the document root by requesting non-existent files with .ida or .idq extensions.

  • CVE-1999-0739May 7, 1999
    risk 0.02cvss epss 0.29

    The codebrws.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.

  • CVE-1999-0737May 7, 1999
    risk 0.02cvss epss 0.28

    The viewcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.

  • CVE-2002-1908Dec 31, 2002
    risk 0.01cvss epss 0.14

    Microsoft IIS 5.0 and 5.1 allows remote attackers to cause a denial of service (CPU consumption) via an HTTP request with a Host header that contains a large number of "/" (forward slash) characters.

  • CVE-2001-0902Nov 20, 2001
    risk 0.01cvss epss 0.17

    Microsoft IIS 5.0 allows remote attackers to spoof web log entries via an HTTP request that includes hex-encoded newline or form-feed characters.

  • CVE-2001-0545Oct 30, 2001
    risk 0.01cvss epss 0.18

    IIS 4.0 with URL redirection enabled allows remote attackers to cause a denial of service (crash) via a malformed request that specifies a length that is different than the actual length.

  • CVE-2000-1090Feb 12, 2001
    risk 0.01cvss epss 0.17

    Microsoft IIS for Far East editions 4.0 and 5.0 allows remote attackers to read source code for parsed pages via a malformed URL that uses the lead-byte of a double-byte character.

  • CVE-2000-1104Jan 9, 2001
    risk 0.01cvss epss 0.07

    Variant of the "IIS Cross-Site Scripting" vulnerability as originally discussed in MS:MS00-060 (CVE-2000-0746) allows a malicious web site operator to embed scripts in a link to a trusted site, which are returned without quoting in an error message back to the client. The…

  • CVE-2000-0746Oct 20, 2000
    risk 0.01cvss epss 0.09

    Vulnerabilities in IIS 4.0 and 5.0 do not properly protect against cross-site scripting (CSS) attacks. They allow a malicious web site operator to embed scripts in a link to a trusted site, which are returned without quoting in an error message back to the client. The client…

  • CVE-2000-0770Oct 20, 2000
    risk 0.01cvss epss 0.15

    IIS 4.0 and 5.0 does not properly restrict access to certain types of files when their parent folders have less restrictive permissions, which could allow remote attackers to bypass access restrictions to some files, aka the "File Permission Canonicalization" vulnerability.

  • CVE-2000-0226Mar 20, 2000
    risk 0.01cvss epss 0.07

    IIS 4.0 allows attackers to cause a denial of service by requesting a large buffer in a POST or PUT command which consumes memory, aka the "Chunked Transfer Encoding Buffer Overflow Vulnerability."

  • CVE-1999-1451Dec 31, 1999
    risk 0.01cvss epss 0.18

    The Winmsdp.exe sample file in IIS 4.0 and Site Server 3.0 allows remote attackers to read arbitrary files.

  • CVE-1999-1148Dec 31, 1999
    risk 0.01cvss epss 0.17

    FTP service in IIS 4.0 and earlier allows remote attackers to cause a denial of service (resource exhaustion) via many passive (PASV) connections at the same time.

  • CVE-2000-0024Dec 21, 1999
    risk 0.01cvss epss 0.12

    IIS does not properly canonicalize URLs, potentially allowing remote attackers to bypass access restrictions in third-party software via escape characters, aka the "Escape Character Parsing" vulnerability.

  • CVE-1999-0777Sep 23, 1999
    risk 0.01cvss epss 0.12

    IIS FTP servers may allow a remote attacker to read or delete files on the server, even if they have "No Access" permissions.

  • CVE-1999-0348Jan 27, 1999
    risk 0.01cvss epss 0.11

    IIS ASP caching problem releases sensitive information when two virtual servers share the same physical directory.

  • CVE-1999-1544Jan 24, 1999
    risk 0.01cvss epss 0.14

    Buffer overflow in FTP server in Microsoft IIS 3.0 and 4.0 allows local and sometimes remote attackers to cause a denial of service via a long NLST (ls) command.

  • CVE-1999-0561Jan 1, 1999
    risk 0.01cvss epss 0.08

    IIS has the #exec function enabled for Server Side Include (SSI) files.