Microsoft SharePoint contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate unspecified parameters upon submission to the scriptesx.ashx script. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability. Check the Microsoft Security Bulletin in the references section.

• Security Tracker: 1027232
• OVAL ID: 15589
• CVE ID: 2012-1859 (see also: NVD)
• Microsoft Knowledge Base Article: 2553194 2553322 2553365 2553424 2553431 2589325 2596663 2596666 2596786 2596911 2596942 2598239 2695502
• Secunia Advisory ID: 49875
• Related OSVDB ID: 83647 83648 83649 83651
• Microsoft Security Bulletin: MS12-050

• Not Available