Vulnerability Name:

CVE-2003-0526 (CCN-12627)

Assigned:2003-07-16
Published:2003-07-16
Updated:2018-10-12
Summary:Cross-site scripting (XSS) vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2000 allows remote attackers to inject arbitrary web script via a URL containing the script in the domain name portion, which is not properly cleansed in the default error pages (1) 500.htm for "500 Internal Server error" or (2) 404.htm for "404 Not Found."
CVSS v3 Severity:5.6 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.0 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
5.1 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P)
3.8 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-Other
Vulnerability Consequences:Gain Access
References:Source: VULNWATCH
Type: Vendor Advisory
20030716 ISA Server - Error Page Cross Site Scripting

Source: VULNWATCH
Type: UNKNOWN
20030716 Microsoft ISA Server HTTP error handler XSS (TL#007)

Source: MITRE
Type: CNA
CVE-2003-0526

Source: BUGTRAQ
Type: UNKNOWN
20030716 Microsoft ISA Server HTTP error handler XSS (TL#007)

Source: BUGTRAQ
Type: UNKNOWN
20030716 ISA Server - Error Page Cross Site Scripting

Source: NTBUGTRAQ
Type: UNKNOWN
20030716 Microsoft ISA Server HTTP error handler XSS (TL#007)

Source: MISC
Type: UNKNOWN
http://pivx.com/larholm/adv/TL006

Source: CCN
Type: CIAC Information Bulletin N-119
Microsoft Internet Security and Acceleration (ISA) Server Error Pages Could Allow Cross-Site Scripting Attack

Source: CCN
Type: Microsoft Security Bulletin MS03-028
Flaw in ISA Server Error Pages Could Allow Cross-Site Scripting Attack (816456)

Source: CCN
Type: OSVDB ID: 2298
Microsoft ISA Server Error Page XSS

Source: CCN
Type: OSVDB ID: 2320
Microsoft ISA Server HTTP Error Handler XSS

Source: CCN
Type: BID-8207
Microsoft ISA Server Cross-Site Scripting Vulnerabilities

Source: MS
Type: UNKNOWN
MS03-028

Source: XF
Type: UNKNOWN
isa-homepage-error-xss(12627)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:117

Vulnerable Configuration:Configuration 1:
  • cpe:/a:microsoft:isa_server:2000:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:isa_server:2000:fp1:*:*:*:*:*:*
  • OR cpe:/a:microsoft:isa_server:2000:sp1:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:microsoft:isa_server:2000:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:117
    V
    		Microsoft ISA Server Cross-Site Scripting
    2011-04-25
    BACK
    microsoft isa server 2000
    microsoft isa server 2000 fp1
    microsoft isa server 2000 sp1
    microsoft isa server 2000