====================================================================

                             CERT-Renater

                  Note d'Information No. 2012/VULN353
____________________________________________________________________

DATE                : 12/09/2012

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S) : Systems running
         Microsoft Systems Management Server version 2003 SP3,
         Microsoft System Center Configuration Manager version 2007 SP2.

======================================================================
KB2741528
http://technet.microsoft.com/en-us/security/bulletin/MS12-062
______________________________________________________________________

Microsoft Security Bulletin MS12-062 - Important Vulnerability in
System Center Configuration Manager Could Allow Elevation of Privilege
(2741528)

Published Date: September 11, 2012 | Updated Date: Unspecified

Version: 1.0

General Information

Executive Summary

This security update resolves a privately reported vulnerability in
Microsoft System Center Configuration Manager. The vulnerability could
allow elevation of privilege if a user visits an affected website by
way of a specially crafted URL. An attacker would have no way to force
users to visit such a website. Instead, an attacker would have to
persuade users to visit the website, typically by getting them to click
a link in an email message or Instant Messenger message that takes
users to the attacker's website.

This security update is rated Important for all supported editions of
Microsoft System Center Configuration Manager.


Known Issues.

None


Affected Software

Microsoft Systems Management Server 2003 Service Pack 3
Microsoft System Center Configuration Manager 2007 Service Pack 2


Vulnerability Information

Reflected XSS Vulnerability - CVE-2012-2536

A cross-site scripting (XSS) vulnerability exists in System Center
Configuration Manager where code can be injected back to the user in
the resulting page, effectively allowing attacker-controlled code to
run in the context of the user clicking the link.


======================================================================

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================