CVE-2011-1890

Name of the Vulnerable Software and Affected Versions Microsoft Office SharePoint Server 2010 Microsoft SharePoint Foundation 2010

Description A cross-site scripting vulnerability exists, allowing remote attackers to inject arbitrary web script or HTML via a post. This vulnerability can also lead to information disclosure and elevation of privilege. If a user visits a specially crafted Web site, malicious JavaScript can be injected into a post made to a targeted SharePoint site, potentially allowing an attacker to issue SharePoint commands in the context of the authenticated user.

Recommendations For Microsoft Office SharePoint Server 2010, update to a version that includes the fix for the Editform Script Injection Vulnerability. For Microsoft SharePoint Foundation 2010, apply the necessary patch to prevent malicious JavaScript injection. As a temporary workaround, consider restricting access to the EditForm.aspx page until a patch is available.