[email protected]CVE-2010-2265

HistoryJun 15, 2010 - 2:04 p.m.

CVE-2010-2265

2010-06-1514:04:24

CWE-79

[email protected]

web.nvd.nist.gov

cve

2010

2265

cross-site scripting

xss

vulnerability

microsoft

windows

help and support center

windows xp

windows server 2003

remote attackers

arbitrary web script

html

sysinfo

sysinfomain.htm

cve-2010-1885

arbitrary commands

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

AI Score

Confidence

High

0.974 High

EPSS

Percentile

99.9%

JSON

Cross-site scripting (XSS) vulnerability in the GetServerName function in sysinfo/commonFunc.js in Microsoft Windows Help and Support Center for Windows XP and Windows Server 2003 allows remote attackers to inject arbitrary web script or HTML via the svr parameter to sysinfo/sysinfomain.htm. NOTE: this can be leveraged with CVE-2010-1885 to execute arbitrary commands without user interaction.

Affected configurations

NVD

Node

microsoftwindows_2003_serversp2

microsoftwindows_2003_serversp2itanium

microsoftwindows_server_2003sp2

microsoftwindows_xpsp2

microsoftwindows_xpsp3

microsoftwindows_xpMatch-sp2x64

CPENameOperatorVersion
microsoft:windows_2003_servermicrosoft windows 2003 servereq*
microsoft:windows_server_2003microsoft windows server 2003eq*
microsoft:windows_xpmicrosoft windows xpeq*
microsoft:windows_xpmicrosoft windows xpeq-

CPE	Name	Operator	Version
microsoft:windows_2003_server	microsoft windows 2003 server	eq	*
microsoft:windows_server_2003	microsoft windows server 2003	eq	*
microsoft:windows_xp	microsoft windows xp	eq	*
microsoft:windows_xp	microsoft windows xp	eq	-