MS12-011: Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2663841)

Issued: 14 FEB 2012

Internet Security Systems Guidance

Three privately reported vulnerabilities in Microsoft Sharepoint were fixed in this update. All could be abused to achieve cross-site-scripting in various Sharepoint pages/controls. Those who have publicly facing vulnerable SharePoint installations should apply this update.

Coverage	Related CVEs	Coverage Date	Exploit Dates	Content Update Versions
Cross_Site_Scripting	CVE-2012-0144 CVE-2012-0145 CVE-2012-0017	11 NOV 2008	N/A	BlackICE PC Protection 3.6crk BlackICE Server Protection 3.6.crk IBM Security Host Protection for Desktops 2310 IBM Security Host Protection for Servers (Unix) 2.2.2 IBM Security Host Protection for Servers (Windows) 1.0.914.2310 IBM Security Host Protection for Servers (Windows) 2.0.300.2310 IBM Security Host Protection for Servers (Windows) 2.1.14.2400 Proventia Network IDS XPU 28.170 Proventia Network IPS XPU 28.170 Proventia Network MFS XPU 28.170 Proventia Server IPS for Linux technology 28.170 Proventia-G 1.1 and earlier XPU 28.170 RealSecure Network XPU 28.170 RealSecure Server Sensor XPU 28.170 Virtual Server Protection for Vmware 1.0
HTTP_Sharepoint_Inplview_XSS	CVE-2012-0017	14 FEB 2012	N/A	IBM Security Host Protection for Desktops 2730 IBM Security Host Protection for Servers (Unix) 2.2.2 IBM Security Host Protection for Servers (Windows) 2.1.14.2730 Proventia Network IDS XPU 32.020 Proventia Network IPS XPU 32.020 Proventia Network MFS XPU 32.020 Proventia Server IPS for Linux technology 32.020 Proventia-G 1.1 and earlier XPU 32.020 RealSecure Network XPU 32.020 RealSecure Server Sensor XPU 32.020 Virtual Server Protection for Vmware XPU 32.020
win-ms12kb2663841-update	CVE-2012-0017 CVE-2012-0144 CVE-2012-0145	14 FEB 2012	N/A	Enterprise Scanner 1.90 Internet Scanner software 7.2 XPU 7.2.104

Coverage

Related CVEs

Coverage Date

Exploit Dates

Content Update Versions

Cross_Site_Scripting

CVE-2012-0144
CVE-2012-0145
CVE-2012-0017

11 NOV 2008

N/A

BlackICE PC Protection 3.6crk
BlackICE Server Protection 3.6.crk
IBM Security Host Protection for Desktops 2310
IBM Security Host Protection for Servers (Unix) 2.2.2
IBM Security Host Protection for Servers (Windows) 1.0.914.2310
IBM Security Host Protection for Servers (Windows) 2.0.300.2310
IBM Security Host Protection for Servers (Windows) 2.1.14.2400
Proventia Network IDS XPU 28.170
Proventia Network IPS XPU 28.170
Proventia Network MFS XPU 28.170
Proventia Server IPS for Linux technology 28.170
Proventia-G 1.1 and earlier XPU 28.170
RealSecure Network XPU 28.170
RealSecure Server Sensor XPU 28.170
Virtual Server Protection for Vmware 1.0

HTTP_Sharepoint_Inplview_XSS

CVE-2012-0017

14 FEB 2012

N/A

IBM Security Host Protection for Desktops 2730
IBM Security Host Protection for Servers (Unix) 2.2.2
IBM Security Host Protection for Servers (Windows) 2.1.14.2730
Proventia Network IDS XPU 32.020
Proventia Network IPS XPU 32.020
Proventia Network MFS XPU 32.020
Proventia Server IPS for Linux technology 32.020
Proventia-G 1.1 and earlier XPU 32.020
RealSecure Network XPU 32.020
RealSecure Server Sensor XPU 32.020
Virtual Server Protection for Vmware XPU 32.020

win-ms12kb2663841-update

CVE-2012-0017
CVE-2012-0144
CVE-2012-0145

14 FEB 2012

N/A

Enterprise Scanner 1.90
Internet Scanner software 7.2 XPU 7.2.104

References

Microsoft: http://technet.microsoft.com/en-us/security/bulletin/ms12-011
X-Force Database: http://xforce.iss.net/xforce/xfdb/72884
X-Force Database: http://xforce.iss.net/xforce/xfdb/72885
X-Force Database: http://xforce.iss.net/xforce/xfdb/72887
X-Force Database: http://xforce.iss.net/xforce/xfdb/72886