Vulnerability Description
Cross-site scripting (XSS) vulnerability in the GetServerName function in sysinfo/commonFunc.js in Microsoft Windows Help and Support Center for Windows XP and Windows Server 2003 allows remote attackers to inject arbitrary web script or HTML via the svr parameter to sysinfo/sysinfomain.htm. NOTE: this can be leveraged with CVE-2010-1885 to execute arbitrary commands without user interaction.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Microsoft | Windows 2003 Server | All versions |
| Microsoft | Windows Server 2003 | All versions |
| Microsoft | Windows Xp | All versions |
Related Weaknesses (CWE)
References
- http://archives.neohapsis.com/archives/fulldisclosure/2010-06/0197.htmlExploit
- http://blogs.technet.com/b/msrc/archive/2010/06/10/windows-help-vulnerability-diVendor Advisory
- http://blogs.technet.com/b/srd/archive/2010/06/10/help-and-support-center-vulnerVendor Advisory
- http://secunia.com/advisories/40076Vendor Advisory
- http://www.kb.cert.org/vuls/id/578319US Government Resource
- http://www.microsoft.com/technet/security/advisory/2219475.mspxVendor Advisory
- http://www.securityfocus.com/archive/1/511774/100/0/threaded
- http://www.securityfocus.com/bid/40721Exploit
- http://www.vupen.com/english/advisories/2010/1417Vendor Advisory
- https://exchange.xforce.ibmcloud.com/vulnerabilities/59267
- http://archives.neohapsis.com/archives/fulldisclosure/2010-06/0197.htmlExploit
- http://blogs.technet.com/b/msrc/archive/2010/06/10/windows-help-vulnerability-diVendor Advisory
- http://blogs.technet.com/b/srd/archive/2010/06/10/help-and-support-center-vulnerVendor Advisory
- http://secunia.com/advisories/40076Vendor Advisory
- http://www.kb.cert.org/vuls/id/578319US Government Resource
FAQ
What is CVE-2010-2265?
CVE-2010-2265 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Cross-site scripting (XSS) vulnerability in the GetServerName function in sysinfo/commonFunc.js in Microsoft Windows Help and Support Center for Windows XP and Windows Server 2003 allows remote attack...
How severe is CVE-2010-2265?
CVE-2010-2265 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2010-2265?
Check the references section above for vendor advisories and patch information. Affected products include: Microsoft Windows 2003 Server, Microsoft Windows Server 2003, Microsoft Windows Xp.