This October, Microsoft has provided a security update for System.Web.Mvc.dll which addresses a ‘Security Feature Bypass’. The vulnerability itself is in ASP.NET MVC technology and given its wide adoption we thought we would take a closer look.
Referring to the bulletin we can glean a few useful pieces of information:
“A cross-site scripting (XSS) vulnerability exists in ASP.NET MVC that could allow an attacker to inject a client-side script into the user’s web browser… The vulnerability is caused when ASP.NET MVC fails to properly encode input.”
- See more at: http://blog.beyondtrust.com/exploiting-ms14-059-because-sometimes-xss-is-fun-sometimes#sthash.K7eESVq9.dpuf
Referring to the bulletin we can glean a few useful pieces of information:
“A cross-site scripting (XSS) vulnerability exists in ASP.NET MVC that could allow an attacker to inject a client-side script into the user’s web browser… The vulnerability is caused when ASP.NET MVC fails to properly encode input.”
- See more at: http://blog.beyondtrust.com/exploiting-ms14-059-because-sometimes-xss-is-fun-sometimes#sthash.K7eESVq9.dpuf