CVE-2010-1899 : Stack consumption vulnerability in the ASP implementation in Microsoft Internet Information Services (IIS) 5.1, 6.0, 7.0

Stack consumption vulnerability in the ASP implementation in Microsoft Internet Information Services (IIS) 5.1, 6.0, 7.0, and 7.5 allows remote attackers to cause a denial of service (daemon outage) via a crafted request, related to asp.dll, aka "IIS Repeated Parameter Request Denial of Service Vulnerability."

Published 2010-09-15 19:00:19

Updated 2021-02-05 15:37:21

Source Microsoft Corporation

View at NVD, CVE.org

Vulnerability category: OverflowDenial of service

Threat overview for CVE-2010-1899

Top countries where our scanners detected CVE-2010-1899

Top open port discovered on systems with this issue 80

IPs affected by CVE-2010-1899 1,088,168

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2010-1899!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2010-1899

Probability of exploitation activity in the next 30 days: 96.96%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ

Metasploit modules for CVE-2010-1899

Microsoft IIS 6.0 ASP Stack Exhaustion Denial of Service

Disclosure Date: 2010-09-14

First seen: 2020-04-26

auxiliary/dos/windows/http/ms10_065_ii6_asp_dos

The vulnerability allows remote unauthenticated attackers to force the IIS server to become unresponsive until the IIS service is restarted manually by the administrator. Required is that Active Server Pages are hosted by the IIS and that an ASP script reads out a

More information

CVSS scores for CVE-2010-1899

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:N/A:P	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial

CWE ids for CVE-2010-1899

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2010-1899

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-065

Microsoft Security Bulletin MS10-065 - Important | Microsoft Docs

CVEs referencing this url
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7127

Repository / Oval Repository

Products affected by CVE-2010-1899

Microsoft » Internet Information Server » Version: 6.0
cpe:2.3:a:microsoft:internet_information_server:6.0:*:*:*:*:*:*:*
Matching versions
Microsoft » Internet Information Services » Version: 7.5
cpe:2.3:a:microsoft:internet_information_services:7.5:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2010-1899