MS12-070: Vulnerability in SQL Server Could Allow Elevation of Privilege (2754849) (uncredentialed check)

medium Nessus Plugin ID 62468


A cross-site scripting vulnerability in SQL Server could allow elevation of privilege.


The remote host has a version of Microsoft SQL Server installed. This version of SQL Server is running SQL Server Reporting Services (SRSS), which is affected by a cross-site scripting (XSS) vulnerability that could allow elevation of privileges. Successful exploitation could allow an attacker to execute arbitrary commands on the SSRS site in the context of the targeted user. An attacker would need to entice a user to visit a specially crafted link in order to exploit the vulnerability.


Microsoft has released a set of patches for SQL Server 2000, 2005, 2008, 2008 R2, and 2012.

See Also

Plugin Details

Severity: Medium

ID: 62468

File Name: smb_kb2754849.nasl

Version: 1.16

Type: remote

Agent: windows

Family: Windows

Published: 10/10/2012

Updated: 4/11/2022

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus Agent

Risk Information


Risk Factor: Low

Score: 1.6


Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Temporal Vector: E:U/RL:OF/RC:C


Risk Factor: Medium

Base Score: 4.7

Temporal Score: 4.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:microsoft:sql_server

Required KB Items: Settings/ParanoidReport

Exploit Ease: No known exploits are available

Patch Publication Date: 10/9/2012

Vulnerability Publication Date: 10/9/2012

Reference Information

CVE: CVE-2012-2552

BID: 55783