Description
Cross-site scripting (XSS) vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2000 allows remote attackers to inject arbitrary web script via a URL containing the script in the domain name portion, which is not properly cleansed in the default error pages (1) 500.htm for "500 Internal Server error" or (2) 404.htm for "404 Not Found."
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by Brett Moore · textremotewindows
https://www.exploit-db.com/exploits/22919
References (8)
Core 8
Core References
Mailing List mailing-list
x_refsource_ntbugtraq
http://marc.info/?l=ntbugtraq&m=105838590030409&w=2
Mailing List mailing-list
x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=105838862201266&w=2
Third Party Advisory mailing-list
x_refsource_vulnwatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0031.html
Third Party Advisory, VDB Entry vdb-entry
signature
x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A117
Vendor Advisory vendor-advisory
x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-028
Vendor Advisory mailing-list
x_refsource_vulnwatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0029.html
Mailing List mailing-list
x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=105838519729525&w=2
Various Sources x_refsource_misc
http://pivx.com/larholm/adv/TL006
Scores
EPSS
0.4565
EPSS Percentile
97.6%
Details
Status
published
Products (1)
microsoft/isa_server
2000 (3 CPE variants)
Published
Aug 18, 2003
Tracked Since
Feb 18, 2026