Ville Solarius

**Name of the Vulnerable Software and Affected Versions** Microsoft Windows SharePoint Services 3.0 Office SharePoint Server 2007 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the PATH INFO in main pages, such as default.aspx, potentially leading to elevation of privilege within the SharePoint site or information disclosure at the workstation. User interaction is required to exploit this issue. **Recommendations** For Microsoft Windows SharePoint Services 3.0, consider restricting access to the PATH INFO in main pages until a fix is available. For Office SharePoint Server 2007, avoid using the PATH INFO in main pages, such as default.aspx, to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.