Vigil@nce - Microsoft System Center Configuration Manager, SMS: Cross Site Scripting
September 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can generate a Cross Site Scripting in Microsoft
System Center Configuration Manager (and Microsoft Systems
Management Server), in order to execute JavaScript code in the
context of the web site.
Impacted products: SCCM, Microsoft SMS
Severity: 2/4
Creation date: 11/09/2012
DESCRIPTION OF THE VULNERABILITY
Microsoft System Center Configuration Manager and Microsoft
Systems Management Server offer a web service
However, these web sites do not filter their parameters, before
displaying them in generated HTML pages.
An attacker can therefore generate a Cross Site Scripting in
Microsoft System Center Configuration Manager (and Microsoft
Systems Management Server), in order to execute JavaScript code in
the context of the web site.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN