<< Back
CVE Number Vulnerability Product Severity Date
MS15-087 Vulnerability in UDDI Services Could Allow Elevation of Privilege (3082459) Windows Server Important 12-08-2015

Technical Information

Brief overview of the risk:
The vulnerability could allow elevation of privilege if an attacker engineered a cross-site scripting (XSS) scenario by inserting a malicious script into a webpage search parameter. A user would have to visit a specially crafted webpage where the malicious script would then be executed.

Detailed Information on the risk:

An elevation of privilege exists in Microsoft Windows when the Universal Description, Discovery, and Integration (UDDI) Services improperly validate or sanitize the search parameter in a FRAME tag. An attacker who successfully exploited this vulnerability could leak authorization cookies or unexpectedly redirect a user to a malicious webpage.
To exploit the vulnerability, an attacker could engineer a cross-site scripting (XSS) scenario by inserting a malicious script into a webpage search parameter. When a user visits the specially crafted webpage the malicious script is executed. This update addresses the vulnerability by correcting how the UDDI Services encode and validate the parameter.

Further information on this exploit is available at : MS15-087

Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Microsoft BizTalk Server 2010
Microsoft BizTalk Server 2013
Microsoft BizTalk Server 2013 R2

Affected Software

Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Microsoft BizTalk Server 2010
Microsoft BizTalk Server 2013
Microsoft BizTalk Server 2013 R2