CVE-2012-0145

Name of the Vulnerable Software and Affected Versions Microsoft Office SharePoint Server 2010 versions Gold and SP1 Microsoft SharePoint Foundation 2010 versions Gold and SP1

Description A cross-site scripting issue exists, allowing remote attackers to inject arbitrary web script or HTML via JavaScript sequences in a URL. This could result in information disclosure or elevation of privilege if a user clicks a specially crafted URL containing malicious JavaScript elements. When the malicious JavaScript is echoed back to the user's browser, the resulting page could allow an attacker to issue SharePoint commands in the context of the authenticated user on the targeted SharePoint site.

Recommendations For Microsoft Office SharePoint Server 2010 versions Gold and SP1, consider disabling access to the wizardlist.aspx page until a patch is available. For Microsoft SharePoint Foundation 2010 versions Gold and SP1, restrict the use of JavaScript sequences in URLs to minimize the risk of exploitation. As a temporary workaround, avoid using specially crafted URLs containing malicious JavaScript elements until the issue is resolved.