Severity rating


Discovered date

Attack vector

Authentication required

Public exploits available

Signature detection

On this page


An Information Disclosure vulnerability exists in the way that HTML is filtered that could allow an attacker to perform cross-site scripting attacks and run script in the security context of the logged-on user.


An attacker who successfully exploited the vulnerability could perform persistent cross-site scripting attacks against users of a site that is filtering HTML content via SafeHTML.

Technical details (analysis)

Cross-site scripting (XSS) is a class of security vulnerability that can enable an attacker to "inject" script code into a user's session with a Web site. The vulnerability can affect Web servers that dynamically generate HTML pages. If these servers embed browser input in the dynamic pages that they send back to the browser, these servers can be manipulated to include maliciously supplied content in the dynamic pages. This can allow malicious script to be executed. Web browsers may perpetuate this problem through their assumptions of "trusted" sites and their use of cookies to maintain persistent state with the Web sites that they frequent. An XSS attack does not modify Web site content. Instead, it inserts new, malicious script that can execute at the browser in the context that is associated with a trusted server.

Affected software

Microsoft Windows SharePoint Services 3.0 Service Pack 2 (32-bit versions)
Microsoft Windows SharePoint Services 3.0 Service Pack 2 (64-bit versions)
Microsoft SharePoint Server 2007 Service Pack 2 (32-bit editions)
Microsoft SharePoint Server 2007 Service Pack 2 (64-bit editions)

Non-affected software

All applications not on the affected list.



NIS signature

Name: Policy:Win/Sharepoint.SafeHTML2.XSS!CVE-2010-3243
Release Date: 2010-10-12T00:00:00

Known false positives

No known false positives at this time.


Read e-mails in plain text
Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones