Hi, *SYNTHESIS OF THE VULNERABILITY*
An attacker can use the help page of Microsoft SharePoint Server, in order to generate a Cross Site Scripting. [image: -] Severity: 2/4 [image: -] Creation date: 29/04/2010 [image: -] Revision date: 30/04/2010 *DESCRIPTION OF THE VULNERABILITY* The help page of the Microsoft SharePoint Server environment is managed by the script "/_layouts/help.aspx". The "cid0" parameter of help.aspx indicates the name of the Manifest file. For example: help.aspx?cid0=MS.WSS.manifest.xml However, if this parameter contains a null character, the code located after it is directly displayed in the HTML page. An attacker can therefore use the help page of Microsoft SharePoint Server, in order to generate a Cross Site Scripting. below link give you some idea aout that ** http://vigilance.fr/vulnerability/M...<http://vigilance.fr/vulnerability/Microsoft-SharePoint-Server-Cross-Site-Scripting-via-help-aspx-9620> On Wed, May 12, 2010 at 10:12 PM, N41K <[email protected]> wrote: > If you can clearly go through the post, it means that there are two > critical patches which you also listed it out. Apart this there are > other critical Vulnerabilities where the Share point server remained > unpached and some technical information on Sharepoint vulnerability is > discussed. > > Thanks & Regards, > 0xN41K > > On May 13, 7:11 am, Amar Deep <[email protected]> wrote: > > Hi Naik, > > > > as u told that microsoft fixing to critical vulnerabilites that u find > > below > > > > n today's Patch Tuesday, Microsoft > > delivers< > http://www.microsoft.com/technet/security/bulletin/ms10-may.mspx>two > > security bulletins that address vulnerabilities affecting Windows, > > Office and Visual Basic for Applications. > > > > *Vulnerability in Outlook Express and Windows Mail Could Allow Remote > Code > > Execution* > > > > This security update resolves a privately reported vulnerability in > Outlook > > Express, Windows Mail, and Windows Live Mail. The vulnerability could > allow > > remote code execution if a user visits a malicious e-mail server. An > > attacker who successfully exploited this vulnerability could gain the > same > > user rights as the local user. Users whose accounts are configured to > have > > fewer user rights on the system could be less impacted than users who > > operate with administrative user rights. > > > > *Vulnerability in Microsoft Visual Basic for Applications Could Allow > Remote > > Code Execution* > > > > This security update resolves a privately reported vulnerability in > > Microsoft Visual Basic for Applications. The vulnerability could allow > > remote code execution if a host application opens and passes a specially > > crafted file to the Visual Basic for Applications runtime. If a user is > > logged on with administrative user rights, an attacker who successfully > > exploited this vulnerability could take complete control of an affected > > system. An attacker could then install programs; view, change, or delete > > data; or create new accounts with full user rights. Users whose accounts > are > > configured to have fewer user rights on the system could be less impacted > > than users who operate with administrative user rights. > > > > -- > > You received this message because you are subscribed to the Google Groups > "nforceit" group. > > To post to this group, send an email to [email protected]. > > To unsubscribe from this group, send email to > [email protected]<nforceit%[email protected]> > . > > For more options, visit this group athttp:// > groups.google.com/group/nforceit?hl=en-GB. > > -- > You received this message because you are subscribed to the Google Groups > "nforceit" group. > To post to this group, send an email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<nforceit%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/nforceit?hl=en-GB. > > -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
