Back
CVE-2000-0970
IIS 4.0 and 5.0 .ASP pages send the same Session ID cookie for secure and insecure web sessions, which could allow remote attackers to hijack the secure web session of the user if that user moves to an insecure session, aka the "Session ID Cookie Marking" vulnerability.
Published: Dec 19, 2000
Modified: Apr 16, 2026
CVSS Metrics
Affected Products (2)
| Vendor | Product | Version |
|---|---|---|
| microsoft | internet_information_server | 4.0 |
| microsoft | internet_information_services | 5.0 |
GitHub Security Advisory GHSA-rhm7-5gpj-qgx2
IIS 4.0 and 5.0 .ASP pages send the same Session ID cookie for secure and insecure web sessions,...
References (8)
- http://www.acrossecurity.com/aspr/ASPR-2000-07-22-1-PUB.txt
- http://www.osvdb.org/7265
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-080
- https://exchange.xforce.ibmcloud.com/vulnerabilities/5396
- http://www.acrossecurity.com/aspr/ASPR-2000-07-22-1-PUB.txt
- http://www.osvdb.org/7265
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-080
- https://exchange.xforce.ibmcloud.com/vulnerabilities/5396
Risk Scores
CVSS Score
7.5 / 10
EPSS Score
38.46%
Top 3% most likely to be exploited
Threat Score
41.5 / 100
Data Sources
NVD
EPSS
GitHub