CVE-2002-0421

IIS 4.0 allows local users to bypass the "User cannot change password" policy for Windows NT by directly calling .htr password changing programs in the /iisadmpwd directory, including (1) aexp2.htr, (2) aexp2b.htr, (3) aexp3.htr , or (4) aexp4.htr.

Published: Aug 12, 2002
Updated: Apr 13, 2023
CVE: CVE-2002-0421
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:P/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
microsoft / windows_nt	4.0	4.0.x
microsoft / windows_nt	4.0-sp1	4.0-sp1.x
microsoft / windows_nt	4.0-sp3	4.0-sp3.x
microsoft / windows_nt	4.0-sp6	4.0-sp6.x
microsoft / windows_nt	4.0-sp4	4.0-sp4.x
microsoft / windows_nt	4.0-sp6a	4.0-sp6a.x
microsoft / windows_nt	4.0-sp2	4.0-sp2.x
microsoft / windows_nt	4.0-sp5	4.0-sp5.x

http://online.securityfocus.com/archive/1/259963
http://www.iss.net/security_center/static/8388.php
http://www.securityfocus.com/bid/4236

Vulnerability Database

CVE-2002-0421