Vulnerability Note VU#340409

Microsoft Windows SharePoint Services and SharePoint Team Services cross-site scripting vulnerabilities

Original Release date: 08 Feb 2005 | Last revised: 08 Feb 2005

Overview

Microsoft Windows SharePoint Services and SharePoint Team Services contain cross-site scripting vulnerabilities. These vulnerabilities could be exploited to execute arbitrary code in the security context of the affected user.

Description

Microsoft Windows SharePoint Services for Windows Server 2003 and SharePoint Team Services are used to create collaborative Web sites. Versions of Microsoft SharePoint software contain several cross-site scripting vulnerabilities caused by insufficient validation of data used as input to HTML redirection queries. The output of such queries may contain malicious script that if executed, could lead to arbitrary code of an attacker's choice being run in the security context of the affected user.

Impact

These vulnerabilities could be exploited to execute arbitrary code in the security context of the affected user.

In addition, per Microsoft Security Bulletin MS05-006:

It may also be possible for an attacker to exploit this vulnerability to modify Web browser caches and intermediate proxy server caches, and put spoofed content in those caches.

Solution

Apply a patch from the vendor


Microsoft has published Microsoft Security Bulletin MS05-006 in response to this issue. Users are encouraged to review this bulletin and apply the patches it refers to.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected-08 Feb 2005
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Microsoft for reporting this vulnerability in Microsoft Security Bulletin MS05-006.

This document was written by Jeffrey S. Havrilla.

Other Information

  • CVE IDs: CAN-2005-0049
  • Date Public: 08 Feb 2005
  • Date First Published: 08 Feb 2005
  • Date Last Updated: 08 Feb 2005
  • Severity Metric: 15.12
  • Document Revision: 6

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.