Stored XSS in Microsoft Office SharePoint

Systems Affected

  • Microsoft SharePoint Server 2019
Summary           : Stored XSS in Microsoft Office SharePoint
Date              : June 2019
Affected versions : Microsoft SharePoint Server 2019
CVE reference     : CVE-2019-1134

Threat Level

Medium

Overview

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks. The vulnerability exists due to insufficient sanitization of user-supplied data. A remote authenticated attacker can permanently inject and execute arbitrary HTML and script code in user’s browser in context of vulnerable website. [1]

Description

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server. [2]

Impact

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Solution

We currently unaware of any official solution to address this vulnerability.

Reference

[1] https://www.cybersecurity-help.cz/vdb/SB2019062801

[2] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1134

Credits

Sharepoint XSS vulnerability was reported by Huynh Phuoc Hung (@hph0var)

Disclaimer

The information provided herein is on “as is” basis, without warranty of any kind.
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.