CVE-2015-2475

Name of the Vulnerable Software and Affected Versions Microsoft Windows Server 2008 SP2 BizTalk Server 2010 BizTalk Server 2013 Gold BizTalk Server 2013 R2

Description A cross-site scripting (XSS) issue exists in the UDDI Services component, allowing remote attackers to inject arbitrary web script or HTML via the search parameter in uddi/search/frames.aspx. This enables attackers to potentially elevate privileges.

Recommendations For Microsoft Windows Server 2008 SP2, update to a version that includes the fix for this issue. For BizTalk Server 2010, apply the patch that addresses the UDDI Services Elevation of Privilege issue. For BizTalk Server 2013 Gold and 2013 R2, restrict access to the uddi/search/frames.aspx endpoint until a patch is applied, and avoid using the search parameter in this endpoint to minimize the risk of exploitation.