MS12-040: Vulnerability in Microsoft Dynamics AX Enterprise Portal Could Allow Elevation of Privilege (MSSQL check)

Medium Nessus Plugin ID 59643

Synopsis

A web application on the remote host has a cross-site scripting vulnerability.

Description

The version of Microsoft Dynamics AX Enterprise Portal on the remote host has an unspecified cross-site scripting vulnerability. An attacker could exploit this by tricking a user into making a malicious request, resulting in arbitrary script code execution.

This plugin checks if the system is missing KB2706738 or KB2710639.
Nessus will only check for the missing KBs if Dynamics AX and SQL Server are on the same system, SQL Server is available via TCP/IP, and SQL Server is configured to use Windows authentication.

Solution

Microsoft has released a set of patches for Dynamics AX 2012 Enterprise Portal.

See Also

http://technet.microsoft.com/en-us/security/Bulletin/MS12-040

Plugin Details

Severity: Medium

ID: 59643

File Name: ms12-040_mssql.nbin

Version: $Revision: 1.119 $

Type: local

Published: 2012/06/21

Modified: 2018/02/14

Dependencies: 59453, 57033, 13855

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 4.3

Temporal Score: 3.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/o:microsoft:windows, cpe:/a:microsoft:dynamics_ax:2012

Required KB Items: SMB/MS_Bulletin_Checks/Possible

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2012/06/12

Vulnerability Publication Date: 2012/06/12

Reference Information

CVE: CVE-2012-1857

BID: 53863

OSVDB: 82853

MSFT: MS12-040

IAVB: 2012-B-0059

MSKB: 2711239