CVE-2012-1860

Name of the Vulnerable Software and Affected Versions Microsoft Office SharePoint Server 2007 versions SP2 through SP3 SharePoint Server 2010 versions Gold through SP1 Office Web Apps 2010 versions Gold through SP1

Description The issue allows remote authenticated users to obtain sensitive information or cause a denial of service by changing a parameter in a search-scope URL. An information disclosure vulnerability exists in the way that SharePoint stores search scopes, which could allow an attacker to view or tamper with other users' search scopes.

Recommendations For Microsoft Office SharePoint Server 2007 versions SP2 through SP3, update the permissions for search scopes to properly restrict access. For SharePoint Server 2010 versions Gold through SP1, modify the search-scope URL parameters to prevent unauthorized changes. For Office Web Apps 2010 versions Gold through SP1, restrict access to search scopes to prevent information disclosure or tampering.