CVE-2009-4445

CWE-20Improper Input Validation3 documents3 sources
Severity
6.0MEDIUM
EPSS
10.1%
top 6.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Microsoft Internet Information Services
Timeline
PublishedDec 29
Latest updateMay 2

Description

Microsoft Internet Information Services (IIS), when used in conjunction with unspecified third-party upload applications, allows remote attackers to create empty files with arbitrary extensions via a filename containing an initial extension followed by a : (colon) and a safe extension, as demonstrated by an upload of a .asp:.jpg file that results in creation of an empty .asp file, related to support for the NTFS Alternate Data Streams (ADS) filename syntax. NOTE: it could be argued that this is

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 6.8 | Impact: 6.4

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-vgvh-f7c3-rv4v: Microsoft Internet Information Services (IIS), when used in conjunction with unspecified third-party upload applications, allows remote attackers to c2022-05-02
CVEList
CVE-2009-4445: Microsoft Internet Information Services (IIS), when used in conjunction with unspecified third-party upload applications, allows remote attackers to c2009-12-29
CVE-2009-4445 (MEDIUM CVSS 6) | Microsoft Internet Information Serv | cvebase.io