KLA11053
XSS vulnerabilities in Microsoft Sharepoint

Multiple serious vulnerabilities have been found in Microsoft Sharepoint. Malicious users can exploit these vulnerabilities to obtain sensitive information and gain privileges.

Below is a complete list of vulnerabilities:

1. An improper sanitizing of user web requests can be exploited remotely via a specially designed web request to obtain sensitive information;
2. An incorrect sanitizing of web requests can be exploited remotely via a specially designed web request to gain privileges.

Technical details

Vulnerability (1) can only be exploited if user clicks a specially designed URL which takes the user to a targeted Sharepoint Web App site. A malicious URL can be sent via email or it can be on a website hosted by a malicious user. In both cases the attacker should convince a user to click malicious URL.

Microsoft SharePoint Enterprise Server 2016
Microsoft Project Server 2013 Service Pack 1

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)