漏洞标题
微软SharePoint欺骗漏洞
漏洞描述信息
当Microsoft SharePoint Server未能正确清理特制的Web请求到受影响的SharePoint服务器时,存在一个欺骗漏洞。一个经过身份验证的攻击者可以通过发送特制的请求到受影响的SharePoint服务器来利用该漏洞。
成功利用该漏洞的攻击者可以在受影响的系统上执行跨站脚本攻击,并在当前用户的权限上下文中运行脚本。这些攻击可能会让攻击者读取未授权的内容,使用受害者的身份代表用户在SharePoint站点上执行操作(如更改权限和删除内容),并在用户的浏览器中注入恶意内容。
安全更新通过确保SharePoint Server正确清理Web请求来解决该漏洞。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
漏洞类别
N/A
漏洞标题
Microsoft SharePoint Spoofing Vulnerability
漏洞描述信息
A spoofing vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server.
The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. These attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.
The security update addresses the vulnerability by helping to ensure that SharePoint Server properly sanitizes web requests.
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
Microsoft SharePoint 输入验证错误漏洞
漏洞描述信息
Microsoft SharePoint是美国微软(Microsoft)公司的一套企业业务协作平台。该平台用于对业务信息进行整合,并能够共享工作、与他人协同工作、组织项目和工作组、搜索人员和信息。 Microsoft SharePoint中存在安全漏洞,该漏洞源于程序没有正确处理发往SharePoint服务器的请求。攻击者可借助特制请求利用该漏洞在当前用户的安全上下文中运行脚本。以下产品及版本受到影响:Microsoft SharePoint Enterprise Server 2013 SP1,Shar
CVSS信息
N/A
漏洞类别
输入验证错误