Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Vulnerability protection

Microsoft SQL server vulnerability could allow escalation of privilege


Report ID: MS201210007
Date Published: 10 October 2012

Criticality: Important
Compromise Type: privilege-escalation
Compromise From: remote


Affected Product/Component:

Microsoft SQL Server 2000
Microsoft SQL Server 2005
Microsoft SQL Server 2008
Microsoft SQL Server 2008 R2
Microsoft SQL Server 2012




Summary

A vulnerability reported in SQL Server Report Manager could allow an attacker to inject a script into the user's web browser, and take action on behalf of the user.



Detailed Description

Microsoft has released a security update to address a vulnerability in SQL Server Report Manager, which was caused by improper validation of a request parameter on the Report Manager SQL Server site. An attacker who successfully exploits this vulnerability could inject a client-side script into the user's instance of Internet Explorer, and use the script to spoof content, disclose information, or take action on behalf of the user.

This issue has been resolved by correcting the way that SQL Server Report Manager encodes input parameters. As a protection measure against potential exploit attempts, users are recommended to install the latest update for applicable system.



CVE Reference

CVE-2012-2552



Solution

Install the latest security patch for applicable system, available for download from (http://technet.microsoft.com/en-us/security/bulletin/ms12-070)




Security Advisories

For a list of known vulnerabilities affecting F-Secure products and the released fixes, please refer to the Security Advisories page.