CVE-2011-1893

Name of the Vulnerable Software and Affected Versions Microsoft Office SharePoint Server 2010 Windows SharePoint Services 2.0 Windows SharePoint Services 3.0 SP2 SharePoint Foundation 2010

Description A cross-site scripting vulnerability exists, allowing remote attackers to inject arbitrary web script or HTML via the URI. This issue also involves information disclosure and elevation of privilege, where JavaScript encoded in a specially crafted URL can be reflected back to the user, enabling an attacker to issue commands in the context of the authenticated user on a targeted site.

Recommendations For Microsoft Office SharePoint Server 2010, update to a version that includes the fix for this issue. For Windows SharePoint Services 2.0, consider disabling the use of specially crafted URLs until a patch is available. For Windows SharePoint Services 3.0 SP2, restrict access to the affected pages to minimize the risk of exploitation. For SharePoint Foundation 2010, avoid using JavaScript encoded in URLs in the affected API endpoints until the issue is resolved.