Search Results (111 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2005-2678 1 Microsoft 2 Internet Information Server, Internet Information Services 2026-04-16 N/A
Microsoft IIS 5.1 and 6 allows remote attackers to spoof the SERVER_NAME variable to bypass security checks and conduct various attacks via a GET request with an http://localhost URI, which makes it appear as if the request is coming from localhost.
CVE-1999-0874 1 Microsoft 3 Internet Information Server, Windows 2000, Windows Nt 2026-04-16 N/A
Buffer overflow in IIS 4.0 allows remote attackers to cause a denial of service via a malformed request for files with .HTR, .IDC, or .STM extensions.
CVE-1999-1537 1 Microsoft 1 Internet Information Server 2026-04-16 N/A
IIS 3.x and 4.x does not distinguish between pages requiring encryption and those that do not, which allows remote attackers to cause a denial of service (resource exhaustion) via SSL requests to the HTTPS port for normally unencrypted files, which will cause IIS to perform extra work to send the files over SSL.
CVE-2000-0025 1 Microsoft 3 Internet Information Server, Site Server, Site Server Commerce 2026-04-16 N/A
IIS 4.0 and Site Server 3.0 allow remote attackers to read source code for ASP files if the file is in a virtual directory whose name includes extensions such as .com, .exe, .sh, .cgi, or .dll, aka the "Virtual Directory Naming" vulnerability.
CVE-2000-0071 1 Microsoft 2 Internet Information Server, Internet Information Services 2026-04-16 N/A
IIS 4.0 allows a remote attacker to obtain the real pathname of the document root by requesting non-existent files with .ida or .idq extensions.
CVE-2000-0114 1 Microsoft 1 Internet Information Server 2026-04-16 N/A
Frontpage Server Extensions allows remote attackers to determine the name of the anonymous account via an RPC POST request to shtml.dll in the /_vti_bin/ virtual directory.
CVE-2000-0126 1 Microsoft 1 Internet Information Server 2026-04-16 N/A
Sample Internet Data Query (IDQ) scripts in IIS 3 and 4 allow remote attackers to read files via a .. (dot dot) attack.
CVE-2000-0167 1 Microsoft 1 Internet Information Server 2026-04-16 N/A
IIS Inetinfo.exe allows local users to cause a denial of service by creating a mail file with a long name and a .txt.eml extension in the pickup directory.
CVE-2000-0630 1 Microsoft 2 Internet Information Server, Internet Information Services 2026-04-16 N/A
IIS 4.0 and 5.0 allows remote attackers to obtain fragments of source code by appending a +.htr to the URL, a variant of the "File Fragment Reading via .HTR" vulnerability.
CVE-2000-0631 1 Microsoft 2 Internet Information Server, Internet Information Services 2026-04-16 N/A
An administrative script from IIS 3.0, later included in IIS 4.0 and 5.0, allows remote attackers to cause a denial of service by accessing the script without a particular argument, aka the "Absent Directory Browser Argument" vulnerability.
CVE-2000-0746 1 Microsoft 3 Frontpage, Internet Information Server, Internet Information Services 2026-04-16 N/A
Vulnerabilities in IIS 4.0 and 5.0 do not properly protect against cross-site scripting (CSS) attacks. They allow a malicious web site operator to embed scripts in a link to a trusted site, which are returned without quoting in an error message back to the client. The client then executes those scripts in the same context as the trusted site, aka the "IIS Cross-Site Scripting" vulnerabilities.
CVE-2000-0770 1 Microsoft 2 Internet Information Server, Internet Information Services 2026-04-16 N/A
IIS 4.0 and 5.0 does not properly restrict access to certain types of files when their parent folders have less restrictive permissions, which could allow remote attackers to bypass access restrictions to some files, aka the "File Permission Canonicalization" vulnerability.
CVE-2000-0970 1 Microsoft 2 Internet Information Server, Internet Information Services 2026-04-16 N/A
IIS 4.0 and 5.0 .ASP pages send the same Session ID cookie for secure and insecure web sessions, which could allow remote attackers to hijack the secure web session of the user if that user moves to an insecure session, aka the "Session ID Cookie Marking" vulnerability.
CVE-2000-1090 1 Microsoft 1 Internet Information Server 2026-04-16 N/A
Microsoft IIS for Far East editions 4.0 and 5.0 allows remote attackers to read source code for parsed pages via a malformed URL that uses the lead-byte of a double-byte character.
CVE-2002-0071 1 Microsoft 2 Internet Information Server, Internet Information Services 2026-04-16 N/A
Buffer overflow in the ism.dll ISAPI extension that implements HTR scripting in Internet Information Server (IIS) 4.0 and 5.0 allows attackers to cause a denial of service or execute arbitrary code via HTR requests with long variable names.
CVE-2000-1104 1 Microsoft 2 Internet Information Server, Internet Information Services 2026-04-16 N/A
Variant of the "IIS Cross-Site Scripting" vulnerability as originally discussed in MS:MS00-060 (CVE-2000-0746) allows a malicious web site operator to embed scripts in a link to a trusted site, which are returned without quoting in an error message back to the client. The client then executes those scripts in the same context as the trusted site.
CVE-1999-0007 5 C2net, Hp, Microsoft and 2 more 13 Stonghold Web Server, Open Market Secure Webserver, Exchange Server and 10 more 2026-04-16 N/A
Information from SSL-encrypted sessions via PKCS #1.
CVE-1999-0012 2 Microsoft, Netscape 5 Frontpage, Internet Information Server, Personal Web Server and 2 more 2026-04-16 7 High
Some web servers under Microsoft Windows allow remote attackers to bypass access restrictions for files with long file names.
CVE-1999-0154 1 Microsoft 2 Internet Information Server, Internet Information Services 2026-04-16 N/A
IIS 2.0 and 3.0 allows remote attackers to read the source code for ASP pages by appending a . (dot) to the end of the URL.
CVE-1999-0281 1 Microsoft 2 Internet Information Server, Internet Information Services 2026-04-16 N/A
Denial of service in IIS using long URLs.