Cross Site Scripting in Microsoft products

Posted: October 11, 2012 in Vulnerabilities
Tags: , ,

MicrosoftVulnerability: XSS in Microsoft products

Danger: Low
Patch: Yes
Number of vulnerabilities: 1
CVE ID: CVE-2012-2520
Impact: Cross Site Scripting
Vulnerable products: Microsoft Office InfoPath 2007, Microsoft InfoPath 2010, Microsoft Office Communicator 2007, Microsoft Lync 2010, Microsoft Lync 2010 Attendant, Microsoft Office SharePoint Server 2007, Microsoft Office SharePoint Server 2010, Microsoft Groove Server 2010, Microsoft Windows SharePoint Services 3.x, Microsoft SharePoint Foundation 2010, Microsoft Office Web Apps 2010.

Affected versions:

– Microsoft InfoPath Service Pack 2 in 2007;
– Microsoft InfoPath 2007 with Service Pack 3;
– Microsoft InfoPath Service Pack 1 in 2010;
– Microsoft Communicator 2007 R2;
– Microsoft Lync 2010 Microsoft Lync 2010 Attendee;
– Microsoft SharePoint Server 2007 Service Pack 2;
– Microsoft SharePoint Server 2007 Service Pack 3;
– Microsoft SharePoint Server 2010 Service Pack;
– Microsoft Groove Server 2010 Service Pack 1;
– Microsoft Windows SharePoint Services 3.0 Service Pack 2;
– Microsoft SharePoint Foundation 2010 Service Pack 1;
– Microsoft Office Web Apps 2010 Service Pack 1.

Description:

The vulnerability allows malicious people to conduct XSS attacks.

The vulnerability is caused due to insufficient input validation in the URL. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Manufacturer URL: www.microsoft.com

Solution: Install the update from the manufacturer.

Links:

MS12-066: Vulnerability in HTML Sanitization Component Could Allow Elevation of Privilege (2741517)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s