Overview
Visitors to web sites that use Microsoft IIS 5.0 and 5.1 are vulnerable to cross-site scripting attacks through the IIS help facility.
Description
Cross-site scripting is a form of attack in which an intruder leverages the trust between a victim and a web-site the victim trusts. Quoting from CERT Advisory CA-2001-02: Many Internet web sites overlook the possibility that a client may send malicious data intended to be used only by itself. This is an easy mistake to make. After all, why would a user enter malicious code that only the user will see? |
Impact
For a description of the potential impact, see http://www.cert.org/advisories/CA-2000-02.html#impact. . |
Solution
For a description of the range of solutions to this problem, see http://www.cert.org/advisories/CA-2000-02.html#solution. In this instance, web site managers should apply a patch as described in MS02-018. |
Vendor Information
CVSS Metrics
Group | Score | Vector |
---|---|---|
Base | N/A | N/A |
Temporal | N/A | N/A |
Environmental | N/A |
References
Credit
Our thanks to Microsoft Corporation, who described this instance of cross-site scripting problems in MS02-018.
Other Information
CVE IDs: | CVE-2002-0074 |
Severity Metric: | 15.95 |
Date Public: | 2002-04-10 |
Date First Published: | 2002-04-10 |
Date Last Updated: | 2002-04-10 22:31 UTC |
Document Revision: | 2 |