Andrew Lyons

**Name of the Vulnerable Software and Affected Versions** Moodle (affected versions not specified) **Description** The issue is related to a cache poisoning risk, which may allow an attacker to gain access to confidential information through caching. Additional validation for local storage was required to address this risk. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft SharePoint Server 2010 SP1 Groove Server 2010 SP1 SharePoint Foundation 2010 SP1 Office Web Apps 2010 SP1 **Description** The issue is related to an elevation of privilege vulnerability that allows remote attackers to inject arbitrary web script or HTML via a crafted string. This vulnerability enables cross-site scripting (XSS) attacks, which can be exploited by an attacker to run a script in the security context of the current user. **Recommendations** For Microsoft SharePoint Server 2010 SP1, consider disabling HTML sanitization functions until a patch is available. For Groove Server 2010 SP1, restrict access to HTML string sanitization to minimize the risk of exploitation. For SharePoint Foundation 2010 SP1, avoid using crafted strings that could lead to XSS attacks until the issue is resolved. For Office Web Apps 2010 SP1, as a temporary workaround, consider restricting the execution of scripts in the context of the current user.

**Name of the Vulnerable Software and Affected Versions** Microsoft InfoPath versions 2007 SP2 through 2007 SP3 Microsoft InfoPath version 2010 SP1 Microsoft Communicator version 2007 R2 Microsoft Lync versions 2010 and 2010 Attendee Microsoft SharePoint Server versions 2007 SP2 through 2007 SP3 Microsoft SharePoint Server version 2010 SP1 Microsoft Groove Server version 2010 SP1 Microsoft Windows SharePoint Services version 3.0 SP2 Microsoft SharePoint Foundation version 2010 SP1 Microsoft Office Web Apps version 2010 SP1 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via a crafted string. This is due to an elevation of privilege vulnerability in the way that HTML strings are sanitized. An attacker who successfully exploited this vulnerability could perform cross-site scripting attacks and run script in the security context of the logged-on user. **Recommendations** For Microsoft InfoPath versions 2007 SP2 through 2007 SP3, update to a newer version to mitigate the risk. For Microsoft InfoPath version 2010 SP1, update to a newer version to mitigate the risk. For Microsoft Communicator version 2007 R2, update to a newer version to mitigate the risk. For Microsoft Lync versions 2010 and 2010 Attendee, update to a newer version to mitigate the risk. For Microsoft SharePoint Server versions 2007 SP2 through 2007 SP3, update to a newer version to mitigate the risk. For Microsoft SharePoint Server version 2010 SP1, update to a newer version to mitigate the risk. For Microsoft Groove Server version 2010 SP1, update to a newer version to mitigate the risk. For Microsoft Windows SharePoint Services version 3.0 SP2, update to a newer version to mitigate the risk. For Microsoft SharePoint Foundation version 2010 SP1, update to a newer version to mitigate the risk. For Microsoft Office Web Apps version 2010 SP1, update to a newer version to mitigate the risk.