SB2020041410 - Multiple vulnerabilities in Microsoft SharePoint

Security Bulletin ID SB2020041410

CSH Severity

High

Patch available

YES

Number of vulnerabilities 10

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 10 vulnerabilities.

1) Spoofing attack (CVE-ID: CVE-2020-0977)

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to the Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. A remote authenticated attacker can send a specially crafted request and spoof page content.

2) Spoofing attack (CVE-ID: CVE-2020-0976)

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Green

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to the Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. A remote authenticated attacker can send a specially crafted request and spoof page content.

3) Spoofing attack (CVE-ID: CVE-2020-0975)

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to the Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. A remote authenticated attacker can send a specially crafted request and spoof page content.

4) Input validation error (CVE-ID: CVE-2020-0974)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists within the Microsoft SharePoint when the software fails to check the source markup of an application package. A remote authenticated attacker can use a specially crafted SharePoint application package and execute arbitrary code on the target system.

5) Spoofing attack (CVE-ID: CVE-2020-0972)

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to the Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. A remote authenticated attacker can send a specially crafted request and spoof page content.

6) Input validation error (CVE-ID: CVE-2020-0971)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists within the Microsoft SharePoint when the software fails to check the source markup of an application package. A remote authenticated attacker can use a specially crafted SharePoint application package and execute arbitrary code on the target system.

7) Input validation error (CVE-ID: CVE-2020-0932)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists within the Microsoft SharePoint when the software fails to check the source markup of an application package. A remote authenticated attacker can use a specially crafted SharePoint application package and execute arbitrary code on the target system.

8) Input validation error (CVE-ID: CVE-2020-0931)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists within the Microsoft SharePoint when the software fails to check the source markup of an application package. A remote authenticated attacker can use a specially crafted SharePoint application package and execute arbitrary code on the target system.

9) Input validation error (CVE-ID: CVE-2020-0929)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists within the Microsoft SharePoint when the software fails to check the source markup of an application package. A remote authenticated attacker can use a specially crafted SharePoint application package and execute arbitrary code on the target system.

10) Input validation error (CVE-ID: CVE-2020-0920)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists within the Microsoft SharePoint when the software fails to check the source markup of an application package. A remote authenticated attacker can use a specially crafted SharePoint application package and execute arbitrary code on the target system.

Remediation

Install update from vendor's website.

SB2020041410 - Multiple vulnerabilities in Microsoft SharePoint

Breakdown by Severity

Description

Remediation

References

Please verify you're human