CVE-2014-0251

Name of the Vulnerable Software and Affected Versions Microsoft Windows SharePoint Services 3.0 SP3 SharePoint Server 2007 SP3, 2010 SP1 and SP2, and 2013 Gold and SP1 SharePoint Foundation 2010 SP1 and SP2 and 2013 Gold and SP1 Project Server 2010 SP1 and SP2 and 2013 Gold and SP1 Web Applications 2010 SP1 and SP2 Office Web Apps Server 2013 Gold and SP1 SharePoint Server 2013 Client Components SDK SharePoint Designer 2007 SP3, 2010 SP1 and SP2, and 2013 Gold and SP1

Description The issue allows remote authenticated users to execute arbitrary code via crafted page content. Exploitation of this issue enables a remote attacker to run arbitrary code and gain full control over the system. The vulnerability is related to errors that occur when processing specially crafted files. An authenticated attacker who successfully exploits this issue could run arbitrary code in the security context of the W3WP service account.

Recommendations For Microsoft Windows SharePoint Services 3.0 SP3, update to a newer version to mitigate the risk. For SharePoint Server 2007 SP3, 2010 SP1 and SP2, and 2013 Gold and SP1, update to a newer version to mitigate the risk. For SharePoint Foundation 2010 SP1 and SP2 and 2013 Gold and SP1, update to a newer version to mitigate the risk. For Project Server 2010 SP1 and SP2 and 2013 Gold and SP1, update to a newer version to mitigate the risk. For Web Applications 2010 SP1 and SP2, update to a newer version to mitigate the risk. For Office Web Apps Server 2013 Gold and SP1, update to a newer version to mitigate the risk. For SharePoint Server 2013 Client Components SDK, update to a newer version to mitigate the risk. For SharePoint Designer 2007 SP3, 2010 SP1 and SP2, and 2013 Gold and SP1, update to a newer version to mitigate the risk. As a temporary workaround, consider restricting access to crafted page content until a patch is available.