Detections
Analytics

MS11-049: Vulnerability in the Microsoft XML Editor Could Allow Information Disclosure (2543893)

medium Nessus Plugin ID 55129

Language:

Synopsis

An application on the remote Windows host has an information disclosure vulnerability.

Description

An application on the remote host has an XML external entity vulnerability. When parsing a specially crafted Web Service Discovery (.disco) file, external XML entities are allowed for untrusted user input. This could result in information disclosure.

A remote attacker could exploit this by tricking a user into opening a specially crafted .disco file, resulting in the disclosure of sensitive information.

Solution

Microsoft has released a set of patches for InfoPath 2007 and 2010, SQL Server 2005, 2008, and 2008 R2, SQL Server Management Studio Express 2005, Visual Studio 2005, 2008, and 2010.

See Also

https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/ms11-049

Plugin Details

Severity: Medium

ID: 55129

File Name: smb_nt_ms11-049.nasl

Version: 1.22

Type: local

Agent: windows

Published: 6/15/2011

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: cpe:/a:microsoft:infopath, cpe:/a:microsoft:sql_server, cpe:/a:microsoft:visual_studio

Required KB Items: SMB/MS_Bulletin_Checks/Possible

Exploit Ease: No known exploits are available

Patch Publication Date: 6/14/2011

Vulnerability Publication Date: 6/14/2011

Reference Information

CVE: CVE-2011-1280

BID: 48196

IAVB: 2011-B-0064

MSFT: MS11-049

MSKB: 2251481, 2251487, 2251489, 2494086, 2494089, 2494094, 2494112, 2494113, 2494120, 2494123, 2510061, 2546869