Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2007-2815

CWE-2644 documents4 sources
Severity
10.0CRITICAL
EPSS
85.9%
top 0.61%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Microsoft Internet Information Services
Timeline
PublishedMay 22
Latest updateMay 1

Description

The "hit-highlighting" functionality in webhits.dll in Microsoft Internet Information Services (IIS) Web Server 5.0 only uses Windows NT ACL configuration, which allows remote attackers to bypass NTLM and basic authentication mechanisms and access private web directories via the CiWebhitsfile parameter to null.htw.

CVSS vector

AV:N/AC:L/C:C/I:C/A:CExploitability: 10.0 | Impact: 10.0

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-86f6-f7gx-x5qm: The "hit-highlighting" functionality in webhits2022-05-01
CVEList
CVE-2007-2815: The "hit-highlighting" functionality in webhits2007-05-22

💥Exploits & PoCs

1
Exploit-DB
Microsoft IIS 5.1 - Hit Highlighting Authentication Bypass2007-05-31
CVE-2007-2815 (CRITICAL CVSS 10) | The "hit-highlighting" functionalit | cvebase.io