Microsoft issued a security advisory late Thursday, warning SharePoint users of a new SharePoint zero-day vulnerability...
that could allow elevation of privilege.
Jerry Bryant, Microsoft's group manager of response communications, said the software giant was unaware of any active attacks attempting to exploit the flaw. The cross-site scripting (XSS) vulnerability affects SharePoint Server 2007 and SharePoint Services 3.0. The vulnerability can be exploited in a browser-based attack.
The Microsoft advisory includes a workaround to mitigate against the threat. Microsoft said users can restrict access by adding an access control list to SharePoint Help.aspx XML files. The workaround will, however, disable all help functionality from the SharePoint server, Microsoft said.
Servers are at reduced risk from Internet Explorer 8 clients, Microsoft said. IE 8 includes an XSS filter in the Internet zone that can block an attack.
"Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data," the firm warned.