Andrew Connell

**Name of the Vulnerable Software and Affected Versions** Microsoft Office SharePoint Server 2010 versions Gold and SP1 Microsoft SharePoint Foundation 2010 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the URI. This could result in information disclosure or elevation of privilege if a user clicks a specially crafted URL containing malicious JavaScript elements. The vulnerability enables an attacker to issue SharePoint commands in the context of the authenticated user on the targeted SharePoint site. **Recommendations** For Microsoft Office SharePoint Server 2010 versions Gold and SP1, update to a version that includes the fix for this issue. For Microsoft SharePoint Foundation 2010, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the SharePoint Calendar feature until a patch is available. Avoid using specially crafted URLs that contain malicious JavaScript elements in the affected SharePoint versions until the issue is resolved.