CVE-1999-1246
CVE-1999-1246 is a high-severity vulnerability in Microsoft Site Server with a CVSS 2.0 base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low.
Key facts
- Severity: High (CVSS 2.0 base score 7.5)
- EPSS exploit prediction: 9% (95th percentile)
- Actively exploited: Not listed in CISA KEV
- Affected product: Microsoft Site Server
- Published:
- Last modified:
Description
Direct Mailer feature in Microsoft Site Server 3.0 saves user domain names and passwords in plaintext in the TMLBQueue network share, which has insecure default permissions, allowing remote attackers to read the passwords and gain privileges.
Frequently asked questions
- What is CVE-1999-1246?
- Direct Mailer feature in Microsoft Site Server 3.0 saves user domain names and passwords in plaintext in the TMLBQueue network share, which has insecure default permissions, allowing remote attackers to read the passwords and gain privileges.
- How severe is CVE-1999-1246?
- CVE-1999-1246 has a CVSS 2.0 base score of 7.5, rated high severity.
- Is CVE-1999-1246 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 9% (95th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-1999-1246?
- CVE-1999-1246 affects Microsoft Site Server. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-1999-1246?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-1999-1246 published?
- CVE-1999-1246 was published on 1999-12-31 and last updated on 2026-06-16.
References
- http://support.microsoft.com/support/kb/articles/Q229/9/72.asp
- https://exchange.xforce.ibmcloud.com/vulnerabilities/2068
Affected products (1)
- cpe:2.3:a:microsoft:site_server:3.0:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Site Server
- CVE-1999-1011 — Critical (CVSS 10.0): The Remote Data Service (RDS) DataFactory component of Microsoft Data Access Components (MDAC) in IIS 3.x and 4.x…
- CVE-2002-1769 — High (CVSS 7.5): Microsoft Site Server 3.0 prior to SP4 installs a default user, LDAP_Anonymous, with a default password of…
- CVE-2000-0161 — High (CVSS 7.5): Sample web sites on Microsoft Site Server 3.0 Commerce Edition do not validate an identification number, which allows…
- CVE-1999-0360 — High (CVSS 7.2): MS Site Server 2.0 with IIS 4 can allow users to upload content, including ASP, to the target web site, thus allowing…
- CVE-2000-0024 — Medium (CVSS 6.4): IIS does not properly canonicalize URLs, potentially allowing remote attackers to bypass access restrictions in…
- CVE-2002-2081 — Medium (CVSS 5.0): cphost.dll in Microsoft Site Server 3.0 allows remote attackers to cause a denial of service (disk consumption) via an…