This vulnerability is caused due to XSS injection in the settings section of the web interface of SharePoint Server. A remote attacker can inject malicious code into the settings section via XSS. If a user visits a malicious web site, such as a phishing website, the attacker can control the settings section of SharePoint Server and gain remote code execution on the target system. This vulnerability can be exploited by an attacker by sending a specially crafted request to an affected SharePoint Server. The injection point of XSS in the settings section is at input type=”text” value=”XSS” onChange=”alert(‘XSS in the settings section of SharePoint Server’);”/>. Normally, a user is not supposed to enter untrusted data into the settings section of SharePoint Server. However, in this case, due to the injection point of XSS, a malicious user can enter commands into the settings section of SharePoint Server and gain remote code execution on the target system. The settings section is not validated when a user is checking out a document from the library, so remote code execution is possible in the settings section of SharePoint Server. This vulnerability can be exploited by a remote attacker.
Vulnerability Scenario
A user visits a malicious website and is presented with an interface that looks like the SharePoint Server web application. The user then enters their credentials into the web application and is presented with a document from the library. The malicious website then sends a specially crafted request to an affected SharePoint Server, which causes XSS in the settings section of SharePoint Server and triggers remote code execution on the target system.
Vulnerable Packages
SharePoint Server 2019
SharePoint Server 2016
SharePoint Foundation 2013
Exploitation of XSS in the Settings Section of SharePoint Server
This vulnerability can be exploited by an attacker by sending a specially crafted request to the SharePoint Server. The injection point of XSS in the settings section is at input type=”text” value=”XSS” onChange=”alert(‘XSS in the settings section of SharePoint Server’);”/>. Normally, a user is not supposed to enter untrusted data into the settings section of SharePoint Server. However, due to the injection point of XSS, a malicious user can enter commands into the settings section of SharePoint Server and gain remote code execution on the target system. The settings section is not validated when a user is checking out a document from the library, so remote code execution is possible in the settings section of SharePoint Server. This vulnerability can be exploited by a remote attacker.
Timeline
Published on: 09/13/2022 19:15:00 UTC
Last modified on: 09/16/2022 17:43:00 UTC