MS12-073  Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Information Disclosure

2012-11-13 This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Internet Information Services (IIS). The more severe vulnerability could allow information disclosure if an attacker sends specially crafted FTP commands to the server.
Vulnerabilities addressed in this bulletin:
Password Disclosure Vulnerability
An information disclosure vulnerability exists when Microsoft Internet Information Services (IIS) fails to properly protect log files.
CVE-2012-2531
FTP Command Injection Vulnerability
An information disclosure vulnerability exists in the way that Microsoft Internet Information Services (IIS) FTP Service negotiates encrypted communications channels.
CVE-2012-2532

Bulletin details at Microsoft.com

Related CVE Entries

CVE-2012-2531

Microsoft Internet Information Services (IIS) 7.5 uses weak permissions for the Operational log, which allows local users to discover credentials by reading this file, aka "Password Disclosure Vulnerability."
Max CVSS
2.1
EPSS Score
0.04%
Published
2012-11-14
Updated
2021-02-05

CVE-2012-2532

Microsoft FTP Service 7.0 and 7.5 for Internet Information Services (IIS) processes unspecified commands before TLS is enabled for a session, which allows remote attackers to obtain sensitive information by reading the replies to these commands, aka "FTP Command Injection Vulnerability."
Max CVSS
5.0
EPSS Score
0.36%
Published
2012-11-14
Updated
2021-02-05
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!
Accept Close