Executive Summary
This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
| Summary | |
|---|---|
| Title | Vulnerability in Microsoft SharePoint Could Allow Elevation of Privilege |
| Informations | |||
|---|---|---|---|
| Name | KB983438 | First vendor Publication | 2010-04-29 |
| Vendor | Microsoft | Last vendor Modification | 2010-06-08 |
| Severity (Vendor) | N/A | Revision | 2.0 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N) | |||
|---|---|---|---|
| Cvss Base Score | 4.3 | Attack Range | Network |
| Cvss Impact Score | 2.9 | Attack Complexity | Medium |
| Cvss Expoit Score | 8.6 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-039 to address this issue. For more information about this issue, including download links for an available security update, please review MS10-039. The vulnerability addressed is the Help.aspx XSS Vulnerability - CVE-2010-0817. |
Original Source
| Url : http://www.microsoft.com/technet/security/advisory/983438.mspx |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:7468 | |||
| Oval ID: | oval:org.mitre.oval:def:7468 | ||
| Title: | Help.aspx XSS Vulnerability | ||
| Description: | Cross-site scripting (XSS) vulnerability in _layouts/help.aspx in Microsoft SharePoint Server 2007 12.0.0.6421 and possibly earlier, and SharePoint Services 3.0 SP1 and SP2, versions, allows remote attackers to inject arbitrary web script or HTML via the cid0 parameter. | ||
| Family: | windows | Class: | vulnerability |
| Reference(s): | CVE-2010-0817 | Version: | 7 |
| Platform(s): | Microsoft Windows Server 2003 | Product(s): | Microsoft Windows SharePoint Services 3.0 |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 1 | |
| Application | 4 |
ExploitDB Exploits
| id | Description |
|---|---|
| 2010-04-29 | Microsoft SharePoint Server 2007 XSS Vulnerability |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2011-09-14 | Name : Microsoft SharePoint Server 2007 '_layouts/help.aspx' Cross Site Scripting Vu... File : nvt/gb_sharepoint_39776.nasl |
| 2010-05-04 | Name : Microsoft SharePoint '_layouts/help.aspx' Cross Site Scripting Vulnerability File : nvt/secpod_ms_sharepoint_layouts_xss_vuln.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 64170 | Microsoft SharePoint Server _layouts/help.aspx cid0 Parameter XSS |
Information Assurance Vulnerability Management (IAVM)
| Date | Description |
|---|---|
| 2010-06-10 | IAVM : 2010-A-0079 - Multiple Vulnerabilities in Microsoft Office SharePoint Severity : Category II - VMSKEY : V0024377 |
Snort® IPS/IDS
| Date | Description |
|---|---|
| 2014-01-10 | Microsoft Office SharePoint XSS attempt RuleID : 16560 - Revision : 17 - Type : SERVER-WEBAPP |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2010-07-01 | Name : An application running on the remote web server has a cross-site scripting vu... File : sharepoint_help_xss.nasl - Type : ACT_ATTACK |
| 2010-06-09 | Name : The remote host has multiple vulnerabilities. File : smb_nt_ms10-039.nasl - Type : ACT_GATHER_INFO |
