InfoPath 2003 forms as email forms in InfoPath 2010 must be disallowed.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-17668 | DTOO170 - InfoPath | SV-33646r1_rule | ECSC-1 | Medium |
| Description |
|---|
| An attacker might target InfoPath 2003 forms to try and compromise an organization's security. InfoPath 2003 did not write a published location for e-mail forms, which means forms could open without a corresponding published location. By default, InfoPath sends all forms via e-mail using InfoPath e-mail forms integration, including forms created using the InfoPath 2003 file format. |
| STIG | Date |
|---|---|
| Microsoft InfoPath 2010 | 2015-04-16 |
Details
| Check Text ( None ) |
|---|
| None |
| Fix Text (F-29787r1_fix) |
|---|
| Set the policy value for User Configuration -> Administrative Templates -> Microsoft InfoPath 2010 -> InfoPath e-mail forms “Disable sending InfoPath 2003 Forms as e-mail forms” to “Enabled”. |