Search Results (111 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-1999-1544 1 Microsoft 1 Internet Information Server 2026-04-16 N/A
Buffer overflow in FTP server in Microsoft IIS 3.0 and 4.0 allows local and sometimes remote attackers to cause a denial of service via a long NLST (ls) command.
CVE-2000-0408 1 Microsoft 2 Internet Information Server, Internet Information Services 2026-04-16 N/A
IIS 4.05 and 5.0 allow remote attackers to cause a denial of service via a long, complex URL that appears to contain a large number of file extensions, aka the "Malformed Extension Data in URL" vulnerability.
CVE-2000-0413 1 Microsoft 3 Frontpage, Internet Information Server, Internet Information Services 2026-04-16 N/A
The shtml.exe program in the FrontPage extensions package of IIS 4.0 and 5.0 allows remote attackers to determine the physical path of HTML, HTM, ASP, and SHTML files by requesting a file that does not exist, which generates an error message that reveals the path.
CVE-2000-0746 1 Microsoft 3 Frontpage, Internet Information Server, Internet Information Services 2026-04-16 N/A
Vulnerabilities in IIS 4.0 and 5.0 do not properly protect against cross-site scripting (CSS) attacks. They allow a malicious web site operator to embed scripts in a link to a trusted site, which are returned without quoting in an error message back to the client. The client then executes those scripts in the same context as the trusted site, aka the "IIS Cross-Site Scripting" vulnerabilities.
CVE-2000-0858 1 Microsoft 2 Internet Information Server, Windows Nt 2026-04-16 N/A
Vulnerability in Microsoft Windows NT 4.0 allows remote attackers to cause a denial of service in IIS by sending it a series of malformed requests which cause INETINFO.EXE to fail, aka the "Invalid URL" vulnerability.
CVE-2000-0884 1 Microsoft 2 Internet Information Server, Internet Information Services 2026-04-16 N/A
IIS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability.
CVE-2000-0970 1 Microsoft 2 Internet Information Server, Internet Information Services 2026-04-16 N/A
IIS 4.0 and 5.0 .ASP pages send the same Session ID cookie for secure and insecure web sessions, which could allow remote attackers to hijack the secure web session of the user if that user moves to an insecure session, aka the "Session ID Cookie Marking" vulnerability.
CVE-2000-1104 1 Microsoft 2 Internet Information Server, Internet Information Services 2026-04-16 N/A
Variant of the "IIS Cross-Site Scripting" vulnerability as originally discussed in MS:MS00-060 (CVE-2000-0746) allows a malicious web site operator to embed scripts in a link to a trusted site, which are returned without quoting in an error message back to the client. The client then executes those scripts in the same context as the trusted site.
CVE-2003-0223 1 Microsoft 2 Internet Information Server, Internet Information Services 2026-04-16 N/A
Cross-site scripting vulnerability (XSS) in the ASP function responsible for redirection in Microsoft Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to embed a URL containing script in a redirection message.
CVE-1999-0281 1 Microsoft 2 Internet Information Server, Internet Information Services 2026-04-16 N/A
Denial of service in IIS using long URLs.
CVE-1999-1538 1 Microsoft 1 Internet Information Server 2026-04-16 N/A
When IIS 2 or 3 is upgraded to IIS 4, ism.dll is inadvertently left in /scripts/iisadmin, which does not restrict access to the local machine and allows an unauthorized user to gain access to sensitive server information, including the Administrator's password.
CVE-1999-0154 1 Microsoft 2 Internet Information Server, Internet Information Services 2026-04-16 N/A
IIS 2.0 and 3.0 allows remote attackers to read the source code for ASP pages by appending a . (dot) to the end of the URL.
CVE-1999-0278 1 Microsoft 2 Internet Information Server, Windows Nt 2026-04-16 N/A
In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL.
CVE-1999-0407 1 Microsoft 1 Internet Information Server 2026-04-16 N/A
By default, IIS 4.0 has a virtual directory /IISADMPWD which contains files that can be used as proxies for brute force password attacks, or to identify valid users on the system.
CVE-1999-0412 1 Microsoft 2 Internet Information Server, Internet Information Services 2026-04-16 N/A
In IIS and other web servers, an attacker can attack commands as SYSTEM if the server is running as SYSTEM and loading an ISAPI extension.
CVE-1999-0448 1 Microsoft 1 Internet Information Server 2026-04-16 N/A
IIS 4.0 and Apache log HTTP request methods, regardless of how long they are, allowing a remote attacker to hide the URL they really request.
CVE-1999-0736 1 Microsoft 1 Internet Information Server 2026-04-16 N/A
The showcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.
CVE-1999-1478 1 Microsoft 1 Internet Information Server 2026-04-16 N/A
The Sun HotSpot Performance Engine VM allows a remote attacker to cause a denial of service on any server running HotSpot via a URL that includes the [ character.
CVE-2001-0545 1 Microsoft 1 Internet Information Server 2026-04-16 N/A
IIS 4.0 with URL redirection enabled allows remote attackers to cause a denial of service (crash) via a malformed request that specifies a length that is different than the actual length.
CVE-1999-0253 1 Microsoft 2 Internet Information Server, Internet Information Services 2026-04-16 N/A
IIS 3.0 with the iis-fix hotfix installed allows remote intruders to read source code for ASP programs by using a %2e instead of a . (dot) in the URL.