New Flaw Found in Microsoft SharePoint

There is a cross-site scripting flaw in SharePoint 2007, Microsoft’s collaboration product, which could give an attacker the ability to execute arbitrary JavaScript code on a machine through a browser.

There is a cross-site scripting flaw in SharePoint 2007, Microsoft’s collaboration product, which could give an attacker the ability to execute arbitrary JavaScript code on a machine through a browser.

High-Tech Bridge, a Swiss security firm, published an advisory about the vulnerability on Thursday, along with proof-of-concept code to demonstrate the exploit.

“The vulnerability exists due to failure in the “/_layouts/help.aspx”
script to properly sanitize user-supplied input in “cid0″ variable.
Successful exploitation of this vulnerability could result in a
compromise of the application, theft of cookie-based authentication
credentials, disclosure or modification of sensitive data,” the company said in its advisory.

Microsoft’s Security Response Center said it is working on mitigations, workarounds and a fix for the vulnerability.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.