MS12-040: Vulnerability in Microsoft Dynamics AX Enterprise Portal Could Allow Elevation of Privilege (MSSQL check)

medium Nessus Plugin ID 59643

Synopsis

A web application on the remote host has a cross-site scripting vulnerability.

Description

The version of Microsoft Dynamics AX Enterprise Portal on the remote host has an unspecified cross-site scripting vulnerability. An attacker could exploit this by tricking a user into making a malicious request, resulting in arbitrary script code execution.

This plugin checks if the system is missing KB2706738 or KB2710639.
Nessus will only check for the missing KBs if Dynamics AX and SQL Server are on the same system, SQL Server is available via TCP/IP, and SQL Server is configured to use Windows authentication.

Solution

Microsoft has released a set of patches for Dynamics AX 2012 Enterprise Portal.

See Also

https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-040

Plugin Details

Severity: Medium

ID: 59643

File Name: ms12-040_mssql.nbin

Version: 1.293

Type: local

Agent: windows

Published: 6/21/2012

Updated: 3/26/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: cpe:/o:microsoft:windows, cpe:/a:microsoft:dynamics_ax:2012

Required KB Items: SMB/MS_Bulletin_Checks/Possible

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/12/2012

Vulnerability Publication Date: 6/12/2012

Reference Information

CVE: CVE-2012-1857

BID: 53863

IAVB: 2012-B-0059

MSFT: MS12-040

MSKB: 2711239