CVE-2010-2265
Description
Cross-site scripting (XSS) vulnerability in the GetServerName function in sysinfo/commonFunc.js in Microsoft Windows Help and Support Center for Windows XP and Windows Server 2003 allows remote attackers to inject arbitrary web script or HTML via the svr parameter to sysinfo/sysinfomain.htm. NOTE: this can be leveraged with CVE-2010-1885 to execute arbitrary commands without user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting in Windows Help and Support Center allows remote attackers to inject arbitrary web script via the svr parameter, potentially leading to command execution when combined with another vulnerability.
Vulnerability
The vulnerability is a cross-site scripting (XSS) flaw in the GetServerName function within sysinfo/commonFunc.js of the Microsoft Windows Help and Support Center. It affects Windows XP and Windows Server 2003. The issue occurs when the svr parameter is passed to sysinfo/sysinfomain.htm without proper sanitization, allowing an attacker to inject arbitrary web script or HTML.
Exploitation
An attacker can exploit this by crafting a malicious URL containing a specially crafted svr parameter and tricking a user into visiting it, typically via a web browser. No authentication is required. This XSS can be leveraged with CVE-2010-1885 to execute arbitrary commands without user interaction, as noted in the CVE description.
Impact
Successful exploitation allows the attacker to inject and execute arbitrary script in the context of the Help and Support Center application. When combined with CVE-2010-1885, this can lead to remote code execution with the privileges of the current user, potentially compromising the entire system.
Mitigation
As of the available references, no official patch is documented. However, a workaround is provided by CERT/CC [2]: disabling the HCP protocol handler by removing the HKEY_CLASSES_ROOT\HCP\shell\open registry key. Additionally, upgrading to Windows Media Player 10 or later can help mitigate some attack vectors by prompting the user before loading external content [2]. Users should also follow general web browser security guidelines.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9cpe:2.3:o:microsoft:windows_2003_server:*:sp2:*:*:*:*:*:*+ 3 more
- cpe:2.3:o:microsoft:windows_2003_server:*:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2003_server:*:sp2:itanium:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2003:*:sp2:*:*:*:*:*:*
- (no CPE)
cpe:2.3:o:microsoft:windows_xp:*:sp2:*:*:*:*:*:*+ 3 more
- cpe:2.3:o:microsoft:windows_xp:*:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_xp:-:sp2:x64:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_xp:*:sp3:*:*:*:*:*:*
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- archives.neohapsis.com/archives/fulldisclosure/2010-06/0197.htmlnvdExploit
- www.securityfocus.com/bid/40721nvdExploit
- blogs.technet.com/b/msrc/archive/2010/06/10/windows-help-vulnerability-disclosure.aspxnvdVendor Advisory
- blogs.technet.com/b/srd/archive/2010/06/10/help-and-support-center-vulnerability-full-disclosure-posting.aspxnvdVendor Advisory
- secunia.com/advisories/40076nvdVendor Advisory
- www.microsoft.com/technet/security/advisory/2219475.mspxnvdVendor Advisory
- www.vupen.com/english/advisories/2010/1417nvdVendor Advisory
- www.kb.cert.org/vuls/id/578319nvdUS Government Resource
- www.securityfocus.com/archive/1/511774/100/0/threadednvd
- exchange.xforce.ibmcloud.com/vulnerabilities/59267nvd
News mentions
0No linked articles in our index yet.