Stored XSS in Microsoft Office SharePoint

 In Security Alerts

Systems Affected

  • Microsoft SharePoint Server 2019
Summary           : Stored XSS in Microsoft Office SharePoint
Date              : June 2019
Affected versions : Microsoft SharePoint Server 2019
CVE reference     : CVE-2019-1134

Threat Level

Medium

Overview

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks. The vulnerability exists due to insufficient sanitization of user-supplied data. A remote authenticated attacker can permanently inject and execute arbitrary HTML and script code in user’s browser in context of vulnerable website. [1]

Description

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server. [2]

Impact

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Solution

We currently unaware of any official solution to address this vulnerability.

 

 

Reference

[1] https://www.cybersecurity-help.cz/vdb/SB2019062801

[2] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1134

Credits

Sharepoint XSS vulnerability was reported by Huynh Phuoc Hung (@hph0var)

Disclaimer

The information provided herein is on “as is” basis, without warranty of any kind.

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Not readable? Change text. captcha txt