CVE-2002-2073
CVE-2002-2073 is a medium-severity vulnerability in Microsoft Site Server with a CVSS 2.0 base score of 4.3. Its EPSS exploit-prediction score of 13% places it in the 96th percentile, indicating an elevated likelihood of exploitation.
Key facts
- Severity: Medium (CVSS 2.0 base score 4.3)
- EPSS exploit prediction: 13% (96th percentile)
- Actively exploited: Not listed in CISA KEV
- Affected product: Microsoft Site Server
- Published:
- Last modified:
Description
Cross-site scripting (XSS) vulnerability in the default ASP pages on Microsoft Site Server 3.0 on Windows NT 4.0 allows remote attackers to inject arbitrary web script or HTML via the (1) ctr parameter in Default.asp and (2) the query string to formslogin.asp.
Frequently asked questions
- What is CVE-2002-2073?
- Cross-site scripting (XSS) vulnerability in the default ASP pages on Microsoft Site Server 3.0 on Windows NT 4.0 allows remote attackers to inject arbitrary web script or HTML via the (1) ctr parameter in Default.asp and (2) the query string to formslogin.asp.
- How severe is CVE-2002-2073?
- CVE-2002-2073 has a CVSS 2.0 base score of 4.3, rated medium severity.
- Is CVE-2002-2073 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 13% (96th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2002-2073?
- CVE-2002-2073 primarily affects Microsoft Site Server. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2002-2073?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2002-2073 published?
- CVE-2002-2073 was published on 2002-12-31 and last updated on 2026-06-16.
References
- http://marc.info/?l=vulnwatch&m=101235440104716&w=2
- http://www.iss.net/security_center/static/8050.php
- http://www.securityfocus.com/bid/3999
Affected products (3)
- cpe:2.3:a:microsoft:site_server:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:site_server_commerce:3.0:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_nt:4.0:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Site Server
- CVE-1999-1011 — Critical (CVSS 10.0): The Remote Data Service (RDS) DataFactory component of Microsoft Data Access Components (MDAC) in IIS 3.x and 4.x…
- CVE-2002-1769 — High (CVSS 7.5): Microsoft Site Server 3.0 prior to SP4 installs a default user, LDAP_Anonymous, with a default password of…
- CVE-2000-0161 — High (CVSS 7.5): Sample web sites on Microsoft Site Server 3.0 Commerce Edition do not validate an identification number, which allows…
- CVE-1999-1246 — High (CVSS 7.5): Direct Mailer feature in Microsoft Site Server 3.0 saves user domain names and passwords in plaintext in the TMLBQueue…
- CVE-1999-0360 — High (CVSS 7.2): MS Site Server 2.0 with IIS 4 can allow users to upload content, including ASP, to the target web site, thus allowing…
- CVE-2000-0024 — Medium (CVSS 6.4): IIS does not properly canonicalize URLs, potentially allowing remote attackers to bypass access restrictions in…