CVE-2000-0970

IIS 4.0 and 5.0 .ASP pages send the same Session ID cookie for secure and insecure web sessions, which could allow remote attackers to hijack the secure web session of the user if that user moves to an insecure session, aka the "Session ID Cookie Marking" vulnerability.

Published: Dec 19, 2000
Updated: Apr 13, 2023
CVE: CVE-2000-0970
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
microsoft / internet_information_services	5.0	5.0.x
microsoft / internet_information_server	4.0	4.0.x

http://www.acrossecurity.com/aspr/ASPR-2000-07-22-1-PUB.txt
http://www.osvdb.org/7265
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-080
https://exchange.xforce.ibmcloud.com/vulnerabilities/5396

Vulnerability Database

289,599

CVE-2000-0970