← CVECheck
HomeVulnerabilities

CVE-2000-0970 — HIGH severity vulnerability (IIS 4.0 and 5.0 .ASP pages send the same Session ID cookie f)

IIS 4.0 and 5.0 .ASP pages send the same Session ID cookie for secure and insecure web sessions, which could allow remote attackers to hijack the secure web session of the user if that user moves to an insecure session, aka the "Session ID Cookie Marking" vulnerability.

CVE IDCVE-2000-0970
SeverityHIGH
CVSS score7.5
CVSS vectorAV:N/AC:L/Au:N/C:P/I:P/A:P
CWENVD-CWE-Other
StatusModified
Published2000-12-19
Last modified2026-04-16
DescriptionIIS 4.0 and 5.0 .ASP pages send the same Session ID cookie for secure and insecure web sessions, which could allow remote attackers to hijack the secure web session of the user if that user moves to an insecure session, aka the "Session ID Cookie Marking" vulnerability.
SourceNIST National Vulnerability Database

🔍 Search all vulnerabilities →