Stored XSS in Microsoft Office SharePoint

 In Security Alerts

Systems Affected

  • Microsoft SharePoint Server 2019
Summary           : Stored XSS in Microsoft Office SharePoint
Date              : June 2019
Affected versions : Microsoft SharePoint Server 2019
CVE reference     : CVE-2019-1134

Threat Level



The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks. The vulnerability exists due to insufficient sanitization of user-supplied data. A remote authenticated attacker can permanently inject and execute arbitrary HTML and script code in user’s browser in context of vulnerable website. [1]


A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server. [2]


Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


We currently unaware of any official solution to address this vulnerability.







Sharepoint XSS vulnerability was reported by Huynh Phuoc Hung (@hph0var)


The information provided herein is on “as is” basis, without warranty of any kind.

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Not readable? Change text. captcha txt