CVE-2003-0526 - Cross-site scripting (XSS) vulnerability in Microsoft Internet Security and Acceleration (ISA) Serve

CVE-2003-0526

Summary

Cross-site scripting (XSS) vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2000 allows remote attackers to inject arbitrary web script via a URL containing the script in the domain name portion, which is not properly cleansed in the default error pages (1) 500.htm for "500 Internal Server error" or (2) 404.htm for "404 Not Found."

References

Vulnerable Configurations

cpe:2.3:a:microsoft:isa_server:2000:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:isa_server:2000:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:isa_server:2000:fp1:*:*:*:*:*:*
cpe:2.3:a:microsoft:isa_server:2000:fp1:*:*:*:*:*:*
cpe:2.3:a:microsoft:isa_server:2000:sp1:*:*:*:*:*:*
cpe:2.3:a:microsoft:isa_server:2000:sp1:*:*:*:*:*:*

CVSS

Base:	6.8 (as of 12-10-2018 - 21:32)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:P/A:P

oval via4

accepted

2011-04-25T04:00:04.930-04:00

class

vulnerability

contributors

name Tiffany Bergeron
organization The MITRE Corporation
name Jeff Cheng
organization Opsware, Inc.
name Akihito Nakamura
organization AIST

description

family

windows

oval:org.mitre.oval:def:117

status

accepted

submitted

2003-10-03T12:00:00.000-04:00

title

Microsoft ISA Server Cross-Site Scripting

version

refmap via4

bugtraq	20030716 ISA Server - Error Page Cross Site Scripting 20030716 Microsoft ISA Server HTTP error handler XSS (TL#007)
misc	http://pivx.com/larholm/adv/TL006
ntbugtraq	20030716 Microsoft ISA Server HTTP error handler XSS (TL#007)
vulnwatch	20030716 ISA Server - Error Page Cross Site Scripting 20030716 Microsoft ISA Server HTTP error handler XSS (TL#007)

Last major update

12-10-2018 - 21:32

Published

18-08-2003 - 04:00

Last modified

12-10-2018 - 21:32