Executive Summary
| Informations | |||
|---|---|---|---|
| Name | MS03-028 | First vendor Publication | N/A |
| Vendor | Microsoft | Last vendor Modification | N/A |
| Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 6.8 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Medium |
| Cvss Expoit Score | 8.6 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Flaw in ISA Server Error Pages Could Allow Cross-Site Scripting Attack (816456) |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:117 | |||
| Oval ID: | oval:org.mitre.oval:def:117 | ||
| Title: | Microsoft ISA Server Cross-Site Scripting | ||
| Description: | Cross-site scripting (XSS) vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2000 allows remote attackers to inject arbitrary web script via a URL containing the script in the domain name portion, which is not properly cleansed in the default error pages (1) 500.htm for "500 Internal Server error" or (2) 404.htm for "404 Not Found." | ||
| Family: | windows | Class: | vulnerability |
| Reference(s): | CVE-2003-0526 | Version: | 4 |
| Platform(s): | Microsoft Windows 2000 | Product(s): | Microsoft Internet Security and Acceleration Server 2000 |
| Definition Synopsis: | |||
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 3 |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 2320 | Microsoft ISA Server HTTP Error Handler XSS Microsoft Internet Security and Acceleration (ISA) Server contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate URI parameters upon submission to the homepage function. This could allow a user to send a specially crafted request that would execute arbitrary code on the server leading to a loss of integrity. |
| 2298 | Microsoft ISA Server Error Page XSS ISA Server contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the returned URI upon submission to the error page script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. |
