CVE-2012-2520

Name of the Vulnerable Software and Affected Versions Microsoft InfoPath versions 2007 SP2 through 2007 SP3 Microsoft InfoPath version 2010 SP1 Microsoft Communicator version 2007 R2 Microsoft Lync versions 2010 and 2010 Attendee Microsoft SharePoint Server versions 2007 SP2 through 2007 SP3 Microsoft SharePoint Server version 2010 SP1 Microsoft Groove Server version 2010 SP1 Microsoft Windows SharePoint Services version 3.0 SP2 Microsoft SharePoint Foundation version 2010 SP1 Microsoft Office Web Apps version 2010 SP1

Description The issue allows remote attackers to inject arbitrary web script or HTML via a crafted string. This is due to an elevation of privilege vulnerability in the way that HTML strings are sanitized. An attacker who successfully exploited this vulnerability could perform cross-site scripting attacks and run script in the security context of the logged-on user.

Recommendations For Microsoft InfoPath versions 2007 SP2 through 2007 SP3, update to a newer version to mitigate the risk. For Microsoft InfoPath version 2010 SP1, update to a newer version to mitigate the risk. For Microsoft Communicator version 2007 R2, update to a newer version to mitigate the risk. For Microsoft Lync versions 2010 and 2010 Attendee, update to a newer version to mitigate the risk. For Microsoft SharePoint Server versions 2007 SP2 through 2007 SP3, update to a newer version to mitigate the risk. For Microsoft SharePoint Server version 2010 SP1, update to a newer version to mitigate the risk. For Microsoft Groove Server version 2010 SP1, update to a newer version to mitigate the risk. For Microsoft Windows SharePoint Services version 3.0 SP2, update to a newer version to mitigate the risk. For Microsoft SharePoint Foundation version 2010 SP1, update to a newer version to mitigate the risk. For Microsoft Office Web Apps version 2010 SP1, update to a newer version to mitigate the risk.