ASP.NET MVC Security Feature Bypass Vulnerability (2990942) Network Vulnerability

Summary

This host is missing an important security update according to Microsoft Bulletin MS14-059.

Impact

Successful exploitation will allow attacker to execute arbitrary HTML and script code in a user's browser session in the context of an affected site. Impact Level: System/Application

Solution

Run Windows Update and update the listed hotfixes or download and update mentioned hotfixes in the advisory from the link, https://technet.microsoft.com/en-us/security/bulletin/ms14-059

Insight

Certain unspecified input is not properly sanitised in System.Web.Mvc.dll before being returned to the user.

Affected

ASP.NET MVC 2.0/3.0/4.0/5.0/5.1

Detection

Get the vulnerable file version and check appropriate patch is applied or not.

References

http://secunia.com/advisories/60971
http://www.osvdb.com/113187
https://technet.microsoft.com/library/security/ms14-059

Updated on 2015-03-25

Severity

Classification

CVE CVE-2014-4075
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Microsoft Exchange Server Multiple Vulnerabilities (3009712)
Microsoft iSCSI Denial of Service Vulnerabilities (2962485)
Microsoft Outlook Information Disclosure Vulnerability (2894514)
Microsoft Windows Active Directory Denial of Service Vulnerability (2853587)
Microsoft SharePoint Foundation Privilege Elevation Vulnerability (3000431)

Take action and discover your vulnerabilities