HTTP: Microsoft SQL Server Report Manager Cross Site Scripting
This signature detects attempts to exploit a known flaw in Microsoft SQL Server Report Manager. An information disclosure vulnerability exists in the Microsoft Report Viewer control due to the improper validation of parameters within a data source. An attacker who successfully exploited this vulnerability could inject a client-side script in the user's browser, resulting in arbitrary code execution with the privileges of the user's browser session.
Extended Description
Cross-site scripting (XSS) vulnerability in the SQL Server Report Manager in Microsoft SQL Server 2000 Reporting Services SP2 and SQL Server 2005 SP4, 2008 SP2 and SP3, 2008 R2 SP1, and 2012 allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka "Reflected XSS Vulnerability."
Affected Products
Microsoft sql_server
References
CVE: CVE-2012-2552
Short Name
HTTP:XSS:MS-REPORT-MANAGER
Severity
Major
Recommended
False
Recommended Action
Drop
Category
HTTP
Keywords
CVE-2012-2552 Cross Manager Microsoft Report SQL Scripting Server Site
Release Date
10/08/2012
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3761
False Positive
Unknown
Vendors
Microsoft
CVSS Score
4.3