CVE-2012-1858

Name of the Vulnerable Software and Affected Versions Microsoft Internet Explorer versions 8 through 9 Microsoft Communicator version 2007 R2 Microsoft Lync versions 2010 through 2010 Attendee

Description The toStaticHTML API, also known as the SafeHTML component, does not properly handle event attributes and script, making it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted HTML document. This issue is related to the way HTML strings are sanitized, allowing an attacker to perform cross-site scripting attacks and run script in the security context of the logged-on user. An attacker could exploit the vulnerability by constructing a specially crafted Web page, potentially leading to information disclosure if a user views the Web page.

Recommendations For Microsoft Internet Explorer versions 8 through 9, consider disabling the toStaticHTML API until a patch is available. For Microsoft Communicator version 2007 R2, restrict access to the SafeHTML component to minimize the risk of exploitation. For Microsoft Lync versions 2010 through 2010 Attendee, avoid using the toStaticHTML method in API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.