Microsoft SharePoint 'wizardlist.aspx' Cross Site Scripting Vulnerability
BID:51937
Info
Microsoft SharePoint 'wizardlist.aspx' Cross Site Scripting Vulnerability
| Bugtraq ID: | 51937 |
| Class: | Input Validation Error |
| CVE: |
CVE-2012-0145 |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 14 2012 12:00AM |
| Updated: | Feb 14 2012 12:00AM |
| Credit: | Rocco Calvi |
| Vulnerable: |
Microsoft SharePoint Foundation 2010 SP1 Microsoft SharePoint Foundation 2010 0 Microsoft Office SharePoint Server 2010 SP1 Microsoft Office SharePoint Server 2010 0 |
| Not Vulnerable: | |
Discussion
Microsoft SharePoint 'wizardlist.aspx' Cross Site Scripting Vulnerability
Microsoft SharePoint is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to perform unauthorized actions such as reading, modifying, or deleting content on the SharePoint site on behalf of the victim.
Microsoft SharePoint is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to perform unauthorized actions such as reading, modifying, or deleting content on the SharePoint site on behalf of the victim.
Exploit / POC
Microsoft SharePoint 'wizardlist.aspx' Cross Site Scripting Vulnerability
Attackers can exploit this issue by enticing an unsuspecting victim to follow a malicious URI.
Attackers can exploit this issue by enticing an unsuspecting victim to follow a malicious URI.
Solution / Fix
Microsoft SharePoint 'wizardlist.aspx' Cross Site Scripting Vulnerability
Solution:
Vendor updates are available. Please see the references for more information.
Microsoft SharePoint Foundation 2010 SP1
Microsoft Office SharePoint Server 2010 0
Microsoft SharePoint Foundation 2010 0
Microsoft Office SharePoint Server 2010 SP1
Solution:
Vendor updates are available. Please see the references for more information.
Microsoft SharePoint Foundation 2010 SP1
-
Microsoft Security Update for Microsoft SharePoint Foundation 2010 (KB2553413)
http://www.microsoft.com/downloads/details.aspx?familyid=dd348109-953b -4154-b265-85e4694238e6
Microsoft Office SharePoint Server 2010 0
-
Microsoft Security Update for 2010 Microsoft Business Productivity Servers (KB2597124)
http://www.microsoft.com/downloads/details.aspx?familyid=44a8eb5a-e469 -4d36-b5a0-7e030c1d3244
Microsoft SharePoint Foundation 2010 0
-
Microsoft Security Update for Microsoft SharePoint Foundation 2010 (KB2553413)
http://www.microsoft.com/downloads/details.aspx?familyid=dd348109-953b -4154-b265-85e4694238e6
Microsoft Office SharePoint Server 2010 SP1
-
Microsoft Security Update for 2010 Microsoft Business Productivity Servers (KB2597124)
http://www.microsoft.com/downloads/details.aspx?familyid=44a8eb5a-e469 -4d36-b5a0-7e030c1d3244
References
Microsoft SharePoint 'wizardlist.aspx' Cross Site Scripting Vulnerability
References:
References:
- Microsoft SharePoint Homepage (Microsoft)
- Microsoft Security Bulletin MS12-011 (Microsoft)