Info

Disclosure

Sep 11, 2012

Discovery

Unknown

Dates

Exploit

Sep 19, 2012

Solution

Sep 11, 2012

Description

Microsoft System Center Configuration Manager contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate URI input upon submission to the ReportChart.asp script. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Patch / RCS
Exploit: Exploit Private
Disclosure: Vendor Verified, Coordinated Disclosure
OSVDB: Web Related

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability. Check the Microsoft Security Bulletin in the references section.

Products

Microsoft Corporation	Systems Management Server	2003 SP3
		2007 SP2

References

Security Tracker: 1027512
CVE ID: 2012-2536 (see also: NVD)
Microsoft Knowledge Base Article: 2721642 2733631
Secunia Advisory ID: 50497
Other Advisory URL: http://www.baesystemsdetica.com.au/Research/Advisories/Microsoft-System-Center-Configuration-Manager-(SCC
Other Solution URL: http://www.stratsec.net/Research/Advisories/Microsoft-System-Center-Configuration-Manager-(SCC
Microsoft Security Bulletin: MS12-062

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/85316

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Microsoft Corporation

Systems Management Server

References

Credit