Vulnerability Note VU#883091
Microsoft Internet Information Server (IIS) contains cross-site scripting vulnerability in IIS Help Files search facility
Visitors to web sites that use Microsoft IIS 5.0 and 5.1 are vulnerable to cross-site scripting attacks through the IIS help facility.
Many Internet web sites overlook the possibility that a client may send malicious data intended to be used only by itself. This is an easy mistake to make. After all, why would a user enter malicious code that only the user will see?
For more information, see Microsoft Security Bulletin MS02-018.
IIS is a very popular web server, and any client that has a trust relationship with an IIS web site may be vulnerable if that site default error messages.
For a description of the potential impact, see http://www.cert.org/advisories/CA-2000-02.html#impact. .
For a description of the range of solutions to this problem, see http://www.cert.org/advisories/CA-2000-02.html#solution. In this instance, web site managers should apply a patch as described in MS02-018.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Microsoft||Affected||-||10 Apr 2002|
CVSS Metrics (Learn More)
Our thanks to Microsoft Corporation, who described this instance of cross-site scripting problems in MS02-018.
This document was written by Shawn V. Hernan.
- CVE IDs: CAN-2002-0074
- Date Public: 10 Apr 2002
- Date First Published: 10 Apr 2002
- Date Last Updated: 10 Apr 2002
- Severity Metric: 15.95
- Document Revision: 2
If you have feedback, comments, or additional information about this vulnerability, please send us email.