|CERT-In Vulnerability Note
cross-site scripting (XSS) vulnerability exists in ASP.NET MVC
Original Issue Date:October 15, 2014
Severity Rating: MEDIUM
- ASP.NET MVC 2.0
- ASP.NET MVC 3.0
- ASP.NET MVC 4.0
- ASP.NET MVC 5.0
- ASP.NET MVC 5.1
A vulnerability has been reported in Microsoft ASP.NET MVC which could allow a remote attacker to conduct cross-site scripting (XSS) attacks.
This vulnerability exists in System.Web.Mvc.dll component of ASP.NET due to improper encoding of user-supplied input by the affected software. A remote attacker could exploit this vulnerability by convincing a user to open a crafted web page to inject a client-side script into the user¿s instance of Internet Explorer.
Successful exploitation could allow the attacker to spoof content, disclose information, or conduct other attacks.
- Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
- Add trusted sites to the Internet Explorer Trusted sites zone
Apply appropriate patches as mentioned in Microsoft Security Bulletin
The information provided herein is on "as is" basis, without warranty of any kind.
Email: email@example.com Phone: +91-11-24368572
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003