Vulnerability Details : CVE-2012-2520
Cross-site scripting (XSS) vulnerability in Microsoft InfoPath 2007 SP2 and SP3 and 2010 SP1, Communicator 2007 R2, Lync 2010 and 2010 Attendee, SharePoint Server 2007 SP2 and SP3 and 2010 SP1, Groove Server 2010 SP1, Windows SharePoint Services 3.0 SP2, SharePoint Foundation 2010 SP1, and Office Web Apps 2010 SP1 allows remote attackers to inject arbitrary web script or HTML via a crafted string, aka "HTML Sanitization Vulnerability."
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2012-2520
- cpe:2.3:a:microsoft:sharepoint_services:3.0:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:infopath:2007:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:infopath:2010:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:sharepoint_server:2007:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:sharepoint_server:2010:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:sharepoint_server:2007:sp3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office_communicator:2007:r2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office_web_apps:2010:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:sharepoint_foundation:2010:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:groove_server:2010:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:lync:2010:*:attendee:*:*:*:*:*
- cpe:2.3:a:microsoft:lync:2010:*:*:*:*:*:*:*
Threat overview for CVE-2012-2520
Top countries where our scanners detected CVE-2012-2520
Top open port discovered on systems with this issue
443
IPs affected by CVE-2012-2520 111
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2012-2520!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2012-2520
35.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 97 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-2520
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2012-2520
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-2520
-
http://www.securitytracker.com/id?1027628
Microsoft Office Communicator HTML Sanitizer Flaw Permits Cross-Site Scripting Attacks - SecurityTrackerThird Party Advisory;VDB Entry
-
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-066
Microsoft Security Bulletin MS12-066 - Important | Microsoft Docs
-
http://www.us-cert.gov/cas/techalerts/TA12-283A.html
Microsoft Updates for Multiple Vulnerabilities | CISAThird Party Advisory;US Government Resource
-
http://www.securitytracker.com/id?1027627
Microsoft Lync HTML Sanitizer Flaw Permits Cross-Site Scripting Attacks - SecurityTrackerThird Party Advisory;VDB Entry
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14976
Repository / Oval Repository
-
http://www.securityfocus.com/bid/55797
Microsoft SharePoint And Microsoft Lync HTML Sanitization Cross Site Scripting VulnerabilityThird Party Advisory;VDB Entry
-
http://www.securitytracker.com/id?1027625
Microsoft Groove Server HTML Sanitizer Flaw Permits Cross-Site Scripting Attacks - SecurityTrackerThird Party Advisory;VDB Entry
-
http://www.securitytracker.com/id?1027626
Microsoft SharePoint HTML Sanitizer Flaw Permits Cross-Site Scripting Attacks - SecurityTrackerThird Party Advisory;VDB Entry
-
http://www.securitytracker.com/id?1027629
Microsoft Office InfoPath HTML Sanitizer Flaw Permits Cross-Site Scripting Attacks - SecurityTrackerThird Party Advisory;VDB Entry
Jump to