KLA11053
XSS vulnerabilities in Microsoft Sharepoint
Обновлено: 26/06/2019
Дата обнаружения
13/06/2017
Уровень угрозы
Warning
Описание

Multiple serious vulnerabilities have been found in Microsoft Sharepoint. Malicious users can exploit these vulnerabilities to obtain sensitive information and gain privileges.

Below is a complete list of vulnerabilities:

  1. An improper sanitizing of user web requests can be exploited remotely via a specially designed web request to obtain sensitive information;
  2. An incorrect sanitizing of web requests can be exploited remotely via a specially designed web request to gain privileges.

Technical details

Vulnerability (1) can only be exploited if user clicks a specially designed URL which takes the user to a targeted Sharepoint Web App site. A malicious URL can be sent via email or it can be on a website hosted by a malicious user. In both cases the attacker should convince a user to click malicious URL.

Пораженные продукты

Microsoft SharePoint Enterprise Server 2016
Microsoft Project Server 2013 Service Pack 1

Решение

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Первичный источник обнаружения
CVE-2017-8514
CVE-2017-8551
Оказываемое влияние
?
ACE 
[?]

OSI 
[?]

SB 
[?]

PE 
[?]

SUI 
[?]
Связанные продукты
Microsoft Sharepoint Server
CVE-IDS
CVE-2017-85514.3Warning
CVE-2017-85143.5Warning
Microsoft official advisories
Microsoft Security Update Guide
KB list

3203432
3203399