Pedro Jimenez

**Name of the Vulnerable Software and Affected Versions** Microsoft Office SharePoint Server 2010 Microsoft SharePoint Foundation 2010 **Description** A cross-site scripting vulnerability exists, allowing remote attackers to inject arbitrary web script or HTML via a post. This vulnerability can also lead to information disclosure and elevation of privilege. If a user visits a specially crafted Web site, malicious JavaScript can be injected into a post made to a targeted SharePoint site, potentially allowing an attacker to issue SharePoint commands in the context of the authenticated user. **Recommendations** For Microsoft Office SharePoint Server 2010, update to a version that includes the fix for the Editform Script Injection Vulnerability. For Microsoft SharePoint Foundation 2010, apply the necessary patch to prevent malicious JavaScript injection. As a temporary workaround, consider restricting access to the EditForm.aspx page until a patch is available.