Three security vulnerabilities in Microsoft’s Content Management Server 2001 have been announced and patched in security bulletin MS02-041. The most critical hole is an exploitable buffer overflow in user authentication that could give a remote attacker Administrative privileges.

The other two problems are also serious: an SQL injection vulnerability, and bugs in the authoring function which could permit the uploading and execution of an arbitrary file, under the security context of the Web Application Manager. Users of MCMS Service Pack 1 can apply the patch; it will also be included in SP2.