Wednesday, March 13, 2013

Multiple vulnerabilities in Microsoft Products


Multiple vulnerabilities in Microsoft SharePoint Server and Microsoft SharePoint Foundation


Danger: High
Patch: Yes
Number of vulnerabilities: 4

CVE ID:
- CVE-2013-0080;
- CVE-2013-0083;
- CVE-2013-0084;
- CVE-2013-0085.

Vector of operation: Remote
Impact:
- Cross-site scripting;
- Denial of service;
- Disclosure of sensitive data;
- Exposure of system information;
- System compromise.

Affected products:
-  Microsoft SharePoint Server 2010;
- Microsoft SharePoint Foundation 2010.

Affected versions:
- Microsoft SharePoint Server 2010 Service Pack 1;
- Microsoft SharePoint Foundation 2010 Service Pack 1.

Description:

The vulnerability allows a remote user to execute arbitrary code on the target system.

1. The vulnerability is caused due to insufficient input validation when processing Callback-function. A remote user can execute arbitrary code on the target system.

2. The vulnerability is caused due to insufficient input validation. This can be exploited to execute arbitrary HTML and JavaScript code to the user's browser session in context of an affected site.

3. The vulnerability is caused due to insufficient input validation. This can be exploited via directory traversal attacks to gain access to sensitive data on the system.

4. The vulnerability is caused due to a boundary error in W3WP process. This can be exploited to crash the application.

Solution: Install the update from the manufacturer.

Links:
MS13-024: Vulnerabilities in SharePoint Could Allow Elevation of Privilege - Read more

MS13-027: Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege - Read more

No comments:

Post a Comment