KLA11053
XSS vulnerabilities in Microsoft Sharepoint
Updated: 06/26/2019
Detect date
?
06/13/2017
Severity
?
Warning
Description

Multiple serious vulnerabilities have been found in Microsoft Sharepoint. Malicious users can exploit these vulnerabilities to obtain sensitive information and gain privileges.

Below is a complete list of vulnerabilities:

  1. An improper sanitizing of user web requests can be exploited remotely via a specially designed web request to obtain sensitive information;
  2. An incorrect sanitizing of web requests can be exploited remotely via a specially designed web request to gain privileges.

Technical details

Vulnerability (1) can only be exploited if user clicks a specially designed URL which takes the user to a targeted Sharepoint Web App site. A malicious URL can be sent via email or it can be on a website hosted by a malicious user. In both cases the attacker should convince a user to click malicious URL.

Affected products

Microsoft SharePoint Enterprise Server 2016
Microsoft Project Server 2013 Service Pack 1

Solution

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Original advisories

CVE-2017-8514
CVE-2017-8551

Impacts
?
ACE 
[?]

OSI 
[?]

SB 
[?]

PE 
[?]

SUI 
[?]
Related products
Microsoft Sharepoint Server
CVE-IDS
?
CVE-2017-85514.3Warning
CVE-2017-85143.5Warning
Microsoft official advisories
Microsoft Security Update Guide
KB list

3203432
3203399