CVE-2012-1860
Description
Microsoft Office SharePoint Server 2007 SP2 and SP3, SharePoint Server 2010 Gold and SP1, and Office Web Apps 2010 Gold and SP1 do not properly check permissions for search scopes, which allows remote authenticated users to obtain sensitive information or cause a denial of service (data modification) by changing a parameter in a search-scope URL, aka "SharePoint Search Scope Vulnerability."
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2012-1860: Microsoft SharePoint Server 2007/2010 and Office Web Apps 2010 fail to check permissions for search scopes, allowing authenticated users to modify data or access sensitive info via a crafted URL.
Vulnerability
CVE-2012-1860, disclosed in Microsoft Security Bulletin MS12-050 [1], is a permission-checking flaw in Microsoft Office SharePoint Server 2007 Service Pack 2 and Service Pack 3, SharePoint Server 2010 Gold and Service Pack 1, and Office Web Apps 2010 Gold and Service Pack 1. The vulnerability occurs because these products do not properly validate permissions when processing search-scope parameters in URLs. An authenticated user with access to a search scope can modify a parameter in the search-scope URL, leading to unauthorized data disclosure or data modification.
Exploitation
An attacker must be an authenticated user with access to the SharePoint site. The exploitation involves crafting a specially crafted URL that modifies a search-scope parameter. This URL can be delivered via email, instant message, or other means, tricking a user with sufficient privileges into clicking it. Alternatively, the attacker could directly craft the URL if they have the necessary permissions. The attack does not require any special network position beyond typical SharePoint access.
Impact
Successful exploitation allows an attacker to view or modify data that they would not normally be authorized to access, potentially leading to sensitive information disclosure. Additionally, the attacker could cause data modification, resulting in denial of service or corruption of SharePoint content. The impact is limited to data that is searchable within the scope, but this could include confidential documents or site content.
Mitigation
Microsoft released security update MS12-050 [1] on July 10, 2012, addressing this vulnerability. For SharePoint Server 2007, the update is included in cumulative update packages; for SharePoint Server 2010 and Office Web Apps 2010, the update is part of the July 2012 cumulative update. Administrators should apply the appropriate update to affected systems. No workaround is documented, as the fix involves correcting the permission validation logic. This CVE is not listed in the CISA Known Exploited Vulnerabilities catalog at the time of this writing.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10cpe:2.3:a:microsoft:office_web_apps:2010:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:microsoft:office_web_apps:2010:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office_web_apps:2010:sp1:*:*:*:*:*:*
cpe:2.3:a:microsoft:sharepoint_server:2007:sp1:*:*:*:*:*:*+ 5 more
- cpe:2.3:a:microsoft:sharepoint_server:2007:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:sharepoint_server:2007:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:sharepoint_server:2007:sp3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:sharepoint_server:2010:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:sharepoint_server:2010:sp1:*:*:*:*:*:*
- (no CPE)range: Gold, SP1
- Range: SP2, SP3
- Range: Gold, SP1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.