Reported February 8, 2005 by Microsoft
VERSIONS AFFECTED
- Windows SharePoint Services for Windows Server 2003
- SharePoint Team Services from Microsoft
Non-Affected Software:
- Windows Server 2003 for Itanium-based systems
- SharePoint
Portal Server 2003 (all versions)
- SharePoint Portal Server 2001 (all versions)
DESCRIPTION
The cross-site
scripting vulnerability could allow an intruder to execute code in
the security context of the currently logged on user.
A spoofing attack
could take place because input provided to HTML redirection queries
is not adequately validated before the input is sent to a user's Web
browser.
VENDOR RESPONSE
Microsoft has released
Security Bulletin MS05-006, "Vulnerability
in Windows SharePoint Services and SharePoint Team Services Could
Allow Cross-Site Scripting and Spoofing Attacks (887981),"
and a patch to correct the problem.