MS12-070: Vulnerability in SQL Server Could Allow Elevation of Privilege (2754849)

medium Nessus Plugin ID 62465

Synopsis

A cross-site scripting vulnerability in SQL Server could allow elevation of privilege.

Description

The remote host has a version of Microsoft SQL Server installed. This version of SQL Server is running SQL Server Reporting Services (SRSS), that is affected by a cross-site scripting (XSS) vulnerability that could allow elevation of privileges. Successful exploitation could allow an attacker to execute arbitrary commands on the SSRS site in the context of the targeted user. An attacker would need to entice a user to visit a specially crafted link in order to exploit the vulnerability.

Solution

Microsoft has released a set of patches for SQL Server 2000, 2005, 2008, 2008 R2, and 2012.

See Also

http://www.nessus.org/u?70fa5df5

Plugin Details

Severity: Medium

ID: 62465

File Name: smb_nt_ms12-070.nasl

Version: 1.19

Type: local

Agent: windows

Published: 10/10/2012

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 1.6

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: cpe:/a:microsoft:sql_server

Required KB Items: SMB/MS_Bulletin_Checks/Possible

Exploit Ease: No known exploits are available

Patch Publication Date: 10/9/2012

Vulnerability Publication Date: 10/9/2012

Reference Information

CVE: CVE-2012-2552

BID: 55783