|Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1,
3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information
Services (IIS), provides detailed error codes during decryption
attempts, which allows remote attackers to decrypt and modify
encrypted View State (aka __VIEWSTATE) form data, and possibly forge
cookies or read application files, via a padding oracle attack, aka
"ASP.NET Padding Oracle Vulnerability."