ISM.DLL in IIS 4.0 and 5.0 allows remote attackers to read file contents by requesting the file and appending a large number of encoded spaces (%20) and terminated with a .htr extension, aka the ".HTR File Fragment Reading" or "File Fragment Reading via .HTR" vulnerability.
Buffer overflow in the dvwssr.dll DLL in Microsoft Visual Interdev 1.0 allows users to cause a denial of service or execute commands, aka the "Link View Server-Side Component" vulnerability.
IIS 4.0 and 5.0 .ASP pages send the same Session ID cookie for secure and insecure web sessions, which could allow remote attackers to hijack the secure web session of the user if that user moves to an insecure session, aka the "Session ID Cookie Marking" vulnerability.
Buffer overflows in Microsoft Network Monitor (Netmon) allow remote attackers to execute arbitrary commands via a long Browser Name in a CIFS Browse Frame, a long SNMP community name, or a long username or filename in an SMB session, aka the "Netmon Protocol Parsing" vulnerability. NOTE: It is highly likely that this candidate will be split into multiple candidates.
Netscape Communicator does not properly prevent a ServerSocket object from being created by untrusted entities, which allows remote attackers to create a server on the victim's system via a malicious applet, as demonstrated by Brown Orifice.
Microsoft SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0 allow remote attackers to gain privileges via a malformed Select statement in an SQL query.
Microsoft Internet Information Services (IIS) 5.1 permits the IUSR_Machine account to execute non-EXE files such as .COM files, which allows attackers to execute arbitrary commands via arguments to any .COM file that executes those arguments, as demonstrated using win.com when it is in a web directory with certain permissions.
Hotmail does not properly filter JavaScript code from a user's mailbox, which allows a remote attacker to execute code via the LOWSRC or DYNRC parameters in the IMG tag.
DHCP clients with ICMP Router Discovery Protocol (IRDP) enabled allow remote attackers to modify their default routes.
Direct Mailer feature in Microsoft Site Server 3.0 saves user domain names and passwords in plaintext in the TMLBQueue network share, which has insecure default permissions, allowing remote attackers to read the passwords and gain privileges.
PowerPoint 95 and 97 allows remote attackers to cause an application to be run automatically without prompting the user, possibly through the slide show, when the document is opened in browsers such as Internet Explorer.
RSH service utility RSHSVC in Windows NT 3.5 through 4.0 does not properly restrict access as specified in the .Rhosts file when a user comes from an authorized host, which could allow unauthorized users to access the service by logging in from an authorized host.
Microsoft Excel 97 does not warn the user before executing worksheet functions, which could allow attackers to execute arbitrary commands by using the CALL function to execute a malicious DLL, aka the Excel "CALL Vulnerability."
Sample web sites on Microsoft Site Server 3.0 Commerce Edition do not validate an identification number, which allows remote attackers to execute SQL commands.
Index Server 2.0 on IIS 4.0 stores physical path information in the ContentIndex\Catalogs subkey of the AllowedPaths registry key, whose permissions allows local and remote users to obtain the physical paths of directories that are being indexed.
Microsoft Internet Information Services (IIS) server 4.0 SP4, without certain hotfixes released for SP4, does not require authentication credentials under certain conditions, which allows remote attackers to bypass authentication requirements, as demonstrated by connecting via Microsoft Visual InterDev 6.0.
Internet Explorer 4 treats a 32-bit number ("dotless IP address") in the a URL as the hostname instead of an IP address, which causes IE to apply Local Intranet Zone settings to the resulting web page, allowing remote malicious web servers to conduct unauthorized activities by using URLs that contain the dotless IP address for their server.
IIS 4.0 does not properly restrict access for the initial session request from a user's IP address if the address does not resolve to a DNS domain, aka the "Domain Resolution" vulnerability.
Buffer overflow in Internet Explorer 4.01 and earlier allows remote attackers to execute arbitrary commands via a long URL with the "mk:" protocol, aka the "MK Overrun security issue."
Multihomed Windows systems allow a remote attacker to bypass IP source routing restrictions via a malformed packet with IP options, aka the "Spoofed Route Pointer" vulnerability.
Buffer overflow in Internet Explorer 5 directshow filter (MSDXM.OCX) allows remote attackers to execute commands via the vnd.ms.radio protocol.
In IIS, an attacker could determine a real path using a request for a non-existent URL that would be interpreted by Perl (perl.exe).
The registry in Windows NT can be accessed remotely by users who are not administrators.
A Windows NT local user or administrator account has a default, null, blank, or missing password.
A NETBIOS/SMB share password is guessable.
A buffer overflow in the FTP list (ls) command in IIS allows remote attackers to conduct a denial of service and, in some cases, execute arbitrary commands.
In IIS and other web servers, an attacker can attack commands as SYSTEM if the server is running as SYSTEM and loading an ISAPI extension.
IP forwarding is enabled on a machine which is not a router or firewall.
A configuration in a web browser such as Internet Explorer or Netscape Navigator allows execution of active content such as ActiveX, Java, Javascript, etc.
Buffer overflow in War FTP allows remote execution of commands.
A Windows NT system's user audit policy does not log an event success or failure, e.g. for Logon and Logoff, File and Object Access, Use of User Rights, User and Group Management, Security Policy Changes, Restart, Shutdown, and System, and Process Tracking.
A Windows NT system's file audit policy does not log an event success or failure for security-critical files or directories.
IIS FTP servers may allow a remote attacker to read or delete files on the server, even if they have "No Access" permissions.
Remote command execution in Microsoft Internet Explorer using .lnk and .url files.
NETBIOS share information may be published through SNMP registry keys in NT.
Buffer overflow in NetMeeting allows denial of service and remote command execution.
Heap-based buffer overflow in the WMCheckURLScheme function in WMVCORE.DLL in Microsoft Windows Media Player (WMP) 10.00.00.4036 on Windows XP SP2, Server 2003, and Server 2003 SP1 allows remote attackers to cause a denial of service (application crash) and execute arbitrary code via a long HREF attribute, using an unrecognized protocol, in a REF element in an ASX PlayList file.
Open Management Infrastructure Remote Code Execution Vulnerability
Multiple unspecified vulnerabilities in DirectAnimation ActiveX controls for Microsoft Internet Explorer 5.01 through 6 have unknown impact and remote attack vectors, possibly related to (1) Danim.dll and (2) Lmrt.dll, a different set of vulnerabilities than CVE-2006-4446 and CVE-2006-4777.
Microsoft Edge (Chromium-based) Tampering Vulnerability
Buffer overflow in Microsoft Class Package Export Tool (aka clspack.exe) allows context-dependent attackers to execute arbitrary code via a long string. NOTE: the provenance of this information is unknown; the details are obtained from third party information.
Multiple buffer overflows in Microsoft Dynamics GP (formerly Great Plains) 9.0 and earlier allow remote attackers to execute arbitrary code via (1) a crafted Distributed Process Manager (DPM) message to the (a) DPM component, or a (2) long string or (3) long IP address in a Distributed Process Server (DPS) message to the DPM or (b) DPS component.
In FreeRDP before 2.4.0 on Windows, wf_cliprdr_server_file_contents_request in client/Windows/wf_cliprdr.c has missing input checks for a FILECONTENTS_SIZE File Contents Request PDU.
In FreeRDP before 2.4.0 on Windows, wf_cliprdr_server_file_contents_request in client/Windows/wf_cliprdr.c has missing input checks for a FILECONTENTS_RANGE File Contents Request PDU.
Windows WLAN AutoConfig Service Remote Code Execution Vulnerability
Microsoft Visual Studio 6.0 allows remote attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code by instantiating certain Visual Studio 6.0 ActiveX COM Objects in Internet Explorer, including (1) tcprops.dll, (2) fp30wec.dll, (3) mdt2db.dll, (4) mdt2qd.dll, and (5) vi30aut.dll.
Internet Explorer 6 on Windows XP SP2 allows remote attackers to execute arbitrary JavaScript in the context of the browser's session with an arbitrary intranet web server, by hosting script on an Internet web server that can be made inaccessible by the attacker and that has a domain name under the attacker's control, which can force the browser to drop DNS pinning and perform a new DNS query for the domain name after the script is already running.
The Terminal Services COM object (tsuserex.dll) allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by instantiating it as an ActiveX object in Internet Explorer 6.0 SP1 on Microsoft Windows 2003 EE SP1 CN.
Microsoft Internet Security and Acceleration (ISA) Server 2004 allows remote attackers to bypass file extension filters via a request with a trailing "#" character. NOTE: as of 20060715, this could not be reproduced by third parties.
Adobe Reader and Acrobat before 9.5, and 10.x before 10.1.2, on Windows and Mac OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-4370 and CVE-2011-4373.