John Hollenberger

**Name of the Vulnerable Software and Affected Versions** Microsoft Office SharePoint Server 2010 versions Gold and SP1 Microsoft SharePoint Foundation 2010 versions Gold and SP1 **Description** A cross-site scripting issue exists, allowing remote attackers to inject arbitrary web script or HTML via JavaScript sequences in a URL. This could result in information disclosure or elevation of privilege if a user clicks a specially crafted URL containing malicious JavaScript elements. When the malicious JavaScript is echoed back to the user's browser, the resulting page could allow an attacker to issue SharePoint commands in the context of the authenticated user on the targeted SharePoint site. **Recommendations** For Microsoft Office SharePoint Server 2010 versions Gold and SP1, consider disabling access to the themeweb.aspx page until a patch is available. For Microsoft SharePoint Foundation 2010 versions Gold and SP1, restrict access to the themeweb.aspx page to minimize the risk of exploitation. As a temporary workaround, avoid using URLs with malicious JavaScript elements in the affected SharePoint sites until the issue is resolved.