CVE-2011-1252

Name of the Vulnerable Software and Affected Versions Microsoft Internet Explorer versions 7 through 8 Office SharePoint Server versions 2007 SP2 through 2010 SP1 Groove Server versions 2010 Gold through 2010 SP1 Windows SharePoint Services version 3.0 SP2 SharePoint Foundation versions 2010 Gold through 2010 SP1

Description The issue is related to an information disclosure vulnerability in the way the SafeHTML function sanitizes HTML, allowing remote attackers to inject arbitrary web script or HTML via unspecified strings. This could enable cross-site scripting attacks, allowing an attacker to run script in the security context of the logged-on user. An attacker could exploit the vulnerability by constructing a specially crafted Web page, potentially leading to information disclosure if a user views the Web page.

Recommendations For Microsoft Internet Explorer versions 7 through 8, update to a version that includes the fix for the toStaticHTML API. For Office SharePoint Server versions 2007 SP2 through 2010 SP1, apply the recommended configuration changes to the SafeHTML function. For Groove Server versions 2010 Gold through 2010 SP1, restrict access to the toStaticHTML API until a patch is available. For Windows SharePoint Services version 3.0 SP2, consider disabling the SafeHTML function as a temporary workaround. For SharePoint Foundation versions 2010 Gold through 2010 SP1, avoid using the toStaticHTML API in sensitive areas of the application until the issue is resolved.