XSS Vulnerability in Microsoft IIS Web Servers
CVE-2005-2089

Currently unrated

Key Information:

Vendor: Microsoft
Status: Internet Information Server; Internet Information Services
Vendor: CVE Published:; 5 July 2005

Summary

This vulnerability in Microsoft IIS 5.0 and 6.0 enables remote attackers to exploit the server by sending crafted HTTP requests containing both a 'Transfer-Encoding: chunked' header and a Content-Length header. This misconfiguration allows the server to incorrectly process the body of the request, leading to potential web cache poisoning and enabling attackers to bypass web application firewall protections. Consequently, the attackers can conduct cross-site scripting (XSS) attacks, compromising the security of web applications relying on these IIS versions.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/42899

vdb-entryx_refsource_XF

http://www.securiteam.com/securityreviews/5GP0220G0U.html

x_refsource_MISC

http://www.watchfire.com/resources/HTTP-Request-Smuggling...

x_refsource_MISC

EPSS Score

54% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Jul 5, 2005
Vulnerability Reserved
Jun 30, 2005