<< Back
CVE Number Vulnerability Product Severity Date
MS12-007 Vulnerability in AntiXSS Library Could Allow Information Disclosure (2607664) Microsoft Anti-Cross Important 11-01-2012

Technical Information

Brief overview of the risk:
This security update resolves one privately reported vulnerability in the Microsoft Anti-Cross Site Scripting (AntiXSS) Library. The vulnerability could allow information disclosure if an attacker passes a malicious script to a website using the sanitization function of the AntiXSS Library.
Detailed Information on the risk:

An information disclosure vulnerability exists when the Microsoft Anti-Cross Site Scripting (AntiXSS) Library incorrectly sanitizes specially crafted HTML. An attacker who successfully exploited this vulnerability could perform a cross-site scripting (XSS) attack on a website that is using the AntiXSS Library to sanitize user provided HTML. This could allow an attacker to pass a malicious script through a sanitization function and expose information not intended to be disclosed. The consequences of the disclosure of this information depends on the nature of the information itself. Note that this vulnerability would not allow an attacker to execute code or to elevate the attacker’s user rights directly, but it could be used to produce information that could be used in an attempt to further compromise the affected system.

Further information on this exploit is available at : MS12-007

Affected Software

Microsoft Anti-Cross Site Scripting Library V3.x and Microsoft Anti-Cross Site Scripting Library V4.0