CVE-2012-1859

Name of the Vulnerable Software and Affected Versions Microsoft SharePoint Server 2010 versions Gold through SP1 Microsoft SharePoint Foundation 2010 versions Gold through SP1 Microsoft Office Web Apps 2010 versions Gold through SP1

Description The issue allows remote attackers to inject arbitrary web script or HTML via crafted JavaScript elements in a URL. This is a cross-site scripting and elevation of privilege vulnerability, enabling attacker-controlled JavaScript to run in the context of the user clicking a link. It potentially allows an anonymous attacker to issue SharePoint commands in the context of an authenticated user on the site.

Recommendations For Microsoft SharePoint Server 2010 versions Gold through SP1, update to a version that includes the fix for this issue. For Microsoft SharePoint Foundation 2010 versions Gold through SP1, update to a version that includes the fix for this issue. For Microsoft Office Web Apps 2010 versions Gold through SP1, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the scriptresx.ashx endpoint until a patch is available.