CVE-2017-0055

Microsoft Internet Information Server (IIS) in Windows Vista SP2; Windows Server 2008 SP2 and R2; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to perform cross-site scripting and run script with local user privileges via a crafted request, aka "Microsoft IIS Server XSS Elevation of Privilege Vulnerability."

CVSS v3 6.1 MEDIUM
CVSS v2.0 4.3 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://www.securityfocus.com/bid/96622	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1038012
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0055	Patch Vendor Advisory
http://www.securityfocus.com/bid/96622	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1038012
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0055	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:microsoft:windows_10:-:::::::*
	cpe:2.3:o:microsoft:windows_10:1511:::::::*
	cpe:2.3:o:microsoft:windows_10:1607:::::::*
	cpe:2.3:o:microsoft:windows_7::sp1::::::*
	cpe:2.3:o:microsoft:windows_8.1::::::::
	cpe:2.3:o:microsoft:windows_rt_8.1::::::::
	cpe:2.3:o:microsoft:windows_server_2008::sp2::::::*
	cpe:2.3:o:microsoft:windows_server_2008:r2:::::::*
	cpe:2.3:o:microsoft:windows_server_2012:-:::::::*
	cpe:2.3:o:microsoft:windows_server_2012:r2:::::::*
	cpe:2.3:o:microsoft:windows_server_2016::::::::
	cpe:2.3:o:microsoft:windows_vista::sp2::::::*

History

21 Nov 2024, 03:02

Type	Values Removed	Values Added
References	~~() http://www.securityfocus.com/bid/96622 - Third Party Advisory, VDB Entry~~	() http://www.securityfocus.com/bid/96622 - Third Party Advisory, VDB Entry
References	~~() http://www.securitytracker.com/id/1038012 -~~	() http://www.securitytracker.com/id/1038012 -
References	~~() https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0055 - Patch, Vendor Advisory~~	() https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0055 - Patch, Vendor Advisory

Information

Published : 2017-03-17 00:59

Updated : 2024-11-21 03:02

NVD link : CVE-2017-0055

Mitre link : CVE-2017-0055

CVE.ORG link : CVE-2017-0055

JSON object : View

Products Affected

microsoft

windows_vista
windows_10
windows_7
windows_8.1
windows_rt_8.1
windows_server_2016
windows_server_2012
windows_server_2008

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

4.3 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2017-0055

6.1^/10

4.3^/10

Attach tags to `CVE-2017-0055`