SB2021011211 - Multiple vulnerabilities in Microsoft SharePoint Server
Published: January 12, 2021
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Input validation error (CVE-ID: CVE-2021-1707)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote authenticated attacker can pass specially crafted input to the application and execute arbitrary code on the target system.
2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-1718)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to tampering issue in SharePoint Server, which leads to security restrictions bypass and privilege escalation.
3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-1719)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions, which leads to security restrictions bypass and privilege escalation.
4) Spoofing attack (CVE-ID: CVE-2021-1717)
CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data. A remote attacker can spoof page content.
5) Spoofing attack (CVE-ID: CVE-2021-1641)
CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data. A remote attacker can spoof page content.
6) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-1712)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions, which leads to security restrictions bypass and privilege escalation.
Remediation
Install update from vendor's website.
References
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1707
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1718
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1719
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1717
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1641
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1712