CVE-2012-0017

Name of the Vulnerable Software and Affected Versions Microsoft SharePoint Foundation 2010 Gold and SP1

Description A cross-site scripting issue exists, allowing remote attackers to inject arbitrary web script or HTML via JavaScript sequences in a URL. This could result in information disclosure or elevation of privilege if a user clicks a specially crafted URL containing malicious JavaScript elements. When the malicious JavaScript is echoed back to the user's browser, the resulting page could allow an attacker to issue SharePoint commands in the context of the authenticated user on the targeted SharePoint site.

Recommendations For Microsoft SharePoint Foundation 2010 Gold and SP1, consider disabling access to the inplview.aspx page until a patch is available. Restrict access to URLs that may contain malicious JavaScript elements to minimize the risk of exploitation. Avoid using URLs with JavaScript sequences in Microsoft SharePoint 2010 until the issue is resolved.