XSS Vulnerability Discovered in Microsoft SQL Server
( MS12-070, CVE-2012-2552 )
Summary
A cross-site-scripting (XSS) vulnerability has been discovered in Microsoft SQL Server. An attacker can exploit the issue to execute arbitrary commands on the targeted system in the security context of the targeted user. The Check Point IPS Software Blade provides immediate protection of unpatched systems against this vulnerability.
Details
The vulnerability is due to incorrect input validation by the SQL Server Report Manager. An attacker can exploit the issue by enticing a targeted user to visit a maliciously crafted web page. This could allow the attacker inject a client-side script to the user's browser. That script spoof content, disclose information, and/or take any action on the site on behalf of the targeted user.
Affected Products
Internet Explorer versions 8, 9, and 10 are vulnerable to this issue.
Solution
Security administrators should deploy the update described in MS12-070 as soon as is practical. Unpatched systems are protected by the Check Point IPS Software Blade in the latest IPS update by detecting and blocking attempts to exploit the vulnerability. For more information, see CPAI-2012-631.
Originally Published:
Last Updated: 10-Oct-2012