CVE-2010-2265

Name of the Vulnerable Software and Affected Versions Microsoft Windows Help and Support Center versions for Windows XP and Windows Server 2003

Description A cross-site scripting (XSS) issue exists in the GetServerName function, allowing remote attackers to inject arbitrary web script or HTML via the svr parameter to "sysinfo/sysinfomain.htm". This can potentially be used to execute arbitrary commands without user interaction when combined with other vulnerabilities.

Recommendations For Microsoft Windows Help and Support Center versions for Windows XP and Windows Server 2003, consider restricting access to the "sysinfo/sysinfomain.htm" endpoint until a fix is available. As a temporary workaround, avoid using the svr parameter in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.