Executive Summary

Title Vulnerability in the Microsoft XML Editor Could Allow Information Disclosure (2543893)
Name MS11-049 First vendor Publication 2011-06-14
Vendor Microsoft Last vendor Modification 2012-02-15
Severity (Vendor) Important Revision 2.4

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Cvss Base Score 4.3 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores


Revision Note: V2.4 (February 15, 2012): Corrected the SQL Server Version Range for SQL Server 2008 R2 in the update FAQ.

Summary: This security update resolves a privately reported vulnerability in Microsoft XML Editor. The vulnerability could allow information disclosure if a user opened a specially crafted Web Service Discovery (.disco) file with one of the affected software listed in this bulletin. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system.

Original Source

Url : http://technet.microsoft.com/en-us/security/bulletin/ms11-049

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-200 Information Exposure

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:12664
Oval ID: oval:org.mitre.oval:def:12664
Title: XML External Entities Resolution Vulnerability
Description: The XML Editor in Microsoft InfoPath 2007 SP2 and 2010; SQL Server 2005 SP3 and SP4 and 2008 SP1, SP2, and R2; SQL Server Management Studio Express (SSMSE) 2005; and Visual Studio 2005 SP1, 2008 SP1, and 2010 does not properly handle external entities, which allows remote attackers to read arbitrary files via a crafted .disco (Web Service Discovery) file, aka "XML External Entities Resolution Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2011-1280
Version: 33
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Microsoft Windows 7
Product(s): Microsoft Office InfoPath 2007
Microsoft Office InfoPath 2010
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition
Microsoft SQL Server Management Studio Express (SSMSE) 2005
Microsoft SQL Server 2008
Microsoft SQL Server 2008 R2
Microsoft Visual Studio 2005
Microsoft Visual Studio 2008
Microsoft Visual Studio 2010
Definition Synopsis:

CPE : Common Platform Enumeration

Application 3
Application 17
Application 2
Application 3

OpenVAS Exploits

Date Description
2011-06-21 Name : Microsoft XML Editor Information Disclosure Vulnerability (2543893)
File : nvt/secpod_ms11-049.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
72934 Microsoft XML Editor External Entities Resolution Unspecified Information Dis...

Information Assurance Vulnerability Management (IAVM)

Date Description
2011-06-16 IAVM : 2011-B-0064 - Microsoft XML Editor Information Disclosure Vulnerability
Severity : Category II - VMSKEY : V0028601

Snort® IPS/IDS

Date Description
2014-01-10 Microsoft Visual Studio information disclosure attempt
RuleID : 19234 - Revision : 7 - Type : OS-WINDOWS

Nessus® Vulnerability Scanner

Date Description
2014-03-10 Name : An application on the remote Windows host has an information disclosure vulne...
File : smb_kb2543893.nasl - Type : ACT_GATHER_INFO
2011-06-15 Name : An application on the remote Windows host has an information disclosure vulne...
File : smb_nt_ms11-049.nasl - Type : ACT_GATHER_INFO
2003-01-26 Name : The remote host has a database server installed.
File : mssql_version.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
Date Informations
2014-03-11 13:21:27
  • Multiple Updates
2014-02-17 11:47:01
  • Multiple Updates
2014-01-19 21:30:41
  • Multiple Updates
2013-11-11 12:41:23
  • Multiple Updates
2013-05-11 00:49:50
  • Multiple Updates