Vulnerabilities > Microsoft > NET Framework
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2010-09-22 | CVE-2010-3332 | Information Exposure Through AN Error Message vulnerability in Microsoft .Net Framework Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack, aka "ASP.NET Padding Oracle Vulnerability." | 6.4 |
2010-08-11 | CVE-2010-1898 | Code Injection vulnerability in Microsoft .Net Framework and Silverlight The Common Language Runtime (CLR) in Microsoft .NET Framework 2.0 SP1, 2.0 SP2, 3.5, 3.5 SP1, and 3.5.1, and Microsoft Silverlight 2 and 3 before 3.0.50611.0 on Windows and before 3.0.41130.0 on Mac OS X, does not properly handle interfaces and delegations to virtual methods, which allows remote attackers to execute arbitrary code via (1) a crafted XAML browser application (aka XBAP), (2) a crafted ASP.NET application, or (3) a crafted .NET Framework application, aka "Microsoft Silverlight and Microsoft .NET Framework CLR Virtual Method Delegate Vulnerability." | 9.3 |
2010-05-27 | CVE-2010-2085 | Cross-Site Scripting vulnerability in Microsoft .Net Framework 1.0 The default configuration of ASP.NET in Microsoft .NET before 1.1 has a value of FALSE for the EnableViewStateMac property, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the __VIEWSTATE parameter. | 4.3 |
2009-08-12 | CVE-2009-1536 | Improper Input Validation vulnerability in Microsoft .Net Framework, Windows Server 2008 and Windows Vista ASP.NET in Microsoft .NET Framework 2.0 SP1 and SP2 and 3.5 Gold and SP1, when ASP 2.0 is used in integrated mode on IIS 7.0, does not properly manage request scheduling, which allows remote attackers to cause a denial of service (daemon outage) via a series of crafted HTTP requests, aka "Remote Unauthenticated Denial of Service in ASP.NET Vulnerability." | 2.6 |
2008-11-17 | CVE-2008-5100 | Cryptographic Issues vulnerability in Microsoft .Net Framework 2.0.50727 The strong name (SN) implementation in Microsoft .NET Framework 2.0.50727 relies on the digital signature Public Key Token embedded in the pathname of a DLL file instead of the digital signature of this file itself, which makes it easier for attackers to bypass Global Assembly Cache (GAC) and Code Access Security (CAS) protection mechanisms, aka MSRC ticket MSRC8566gs. | 10.0 |
2008-08-27 | CVE-2008-3843 | Cross-Site Scripting vulnerability in Microsoft .Net Framework 1.0/1.1/2.0 Request Validation (aka the ValidateRequest filters) in ASP.NET in Microsoft .NET Framework with the MS07-040 update does not properly detect dangerous client input, which allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated by a query string containing a "<~/" (less-than tilde slash) sequence followed by a crafted STYLE element. | 4.3 |
2008-08-27 | CVE-2008-3842 | Cross-Site Scripting vulnerability in Microsoft .Net Framework 1.0/1.1/2.0 Request Validation (aka the ValidateRequest filters) in ASP.NET in Microsoft .NET Framework without the MS07-040 update does not properly detect dangerous client input, which allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated by a query string containing a "</" (less-than slash) sequence. | 4.3 |
2007-07-10 | CVE-2007-0043 | Buffer Errors vulnerability in Microsoft .Net Framework 1.0/1.1/2.0 The Just In Time (JIT) Compiler service in Microsoft .NET Framework 1.0, 1.1, and 2.0 for Windows 2000, XP, Server 2003, and Vista allows user-assisted remote attackers to execute arbitrary code via unspecified vectors involving an "unchecked buffer," probably a buffer overflow, aka ".NET JIT Compiler Vulnerability". | 9.3 |
2007-07-10 | CVE-2007-0042 | Information Exposure vulnerability in Microsoft .Net Framework 1.0/1.1/2.0 Interpretation conflict in ASP.NET in Microsoft .NET Framework 1.0, 1.1, and 2.0 for Windows 2000, XP, Server 2003, and Vista allows remote attackers to access configuration files and obtain sensitive information, and possibly bypass security mechanisms that try to constrain the final substring of a string, via %00 characters, related to use of %00 as a string terminator within POSIX functions but a data character within .NET strings, aka "Null Byte Termination Vulnerability." | 7.8 |
2007-07-10 | CVE-2007-0041 | Buffer Errors vulnerability in Microsoft .Net Framework 1.0/1.1/2.0 The PE Loader service in Microsoft .NET Framework 1.0, 1.1, and 2.0 for Windows 2000, XP, Server 2003, and Vista allows remote attackers to execute arbitrary code via unspecified vectors involving an "unchecked buffer" and unvalidated message lengths, probably a buffer overflow. | 9.3 |