Microsoft SharePoint 2013 SP1 Stored XSS Vulnerability
Title: Microsoft SharePoint 2013 SP1 Stored XSS Vulnerability
Advisory ID: ZSL-2019-5533
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (4/5)
Release Date: 24.09.2019
Microsoft Sharepoint 2013 SP1
[13.05.2019] Vendor contacted.
[14.05.2019] Response from the vendor.
[11.09.2019] Patch released from the vendor.
[24.09.2019] Coordinated public security advisory released.
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1262
[3] https://packetstormsecurity.com/files/154591
[4] https://www.exploit-db.com/exploits/47417
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/166058
[25.09.2019] - Added reference [4]
[26.09.2019] - Added reference [5]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2019-5533
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (4/5)
Release Date: 24.09.2019
Summary
SharePoint is a web-based collaborative platform that integrates with Microsoft Office. Launched in 2001, SharePoint is primarily sold as a document management and storage system, but the product is highly configurable and usage varies substantially among organizations.Description
A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server. The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user. Sharepoint 2013 SP1 allows users to upload files to the platform, but does not correctly sanitize the filename when the files are listed. An authenticated user that has the rights to upload files to the SharePoint platform, is able to exploit a Stored Cross-Site Scripting vulnerability in the filename. The filename is reflected in the attribute 'aria-label' of the following HTML tag.Vendor
Microsoft Corporation - https://www.microsoft.comAffected Version
2013 SP1Tested On
Microsoft Windows Server 2016Microsoft Sharepoint 2013 SP1
Vendor Status
[12.05.2019] Vulnerability discovered.[13.05.2019] Vendor contacted.
[14.05.2019] Response from the vendor.
[11.09.2019] Patch released from the vendor.
[24.09.2019] Coordinated public security advisory released.
PoC
sharepoint_xss.txtCredits
Vulnerability discovered by Davide Cioccia - <davide@zeroscience.mk>References
[1] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1262[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1262
[3] https://packetstormsecurity.com/files/154591
[4] https://www.exploit-db.com/exploits/47417
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/166058
Changelog
[24.09.2019] - Initial release[25.09.2019] - Added reference [4]
[26.09.2019] - Added reference [5]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
