Vulnerabilities > CVE-2000-0970 - Unspecified vulnerability in Microsoft products

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

microsoft

NVD

Published: 2000-12-19

Updated: 2018-10-30

Summary

IIS 4.0 and 5.0 .ASP pages send the same Session ID cookie for secure and insecure web sessions, which could allow remote attackers to hijack the secure web session of the user if that user moves to an insecure session, aka the "Session ID Cookie Marking" vulnerability.

Vulnerable Configurations

Part	Description	Count
Application	Microsoft Microsoft Internet Information Server 4.0 Microsoft Internet Information Services 5.0	2

References

http://www.acrossecurity.com/aspr/ASPR-2000-07-22-1-PUB.txt
http://www.osvdb.org/7265
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-080
https://exchange.xforce.ibmcloud.com/vulnerabilities/5396