Vigil@nce: Microsoft SharePoint, Cross Site Scripting
November 2008 by Vigil@nce
An attacker allowed to upload a malicious content to Microsoft SharePoint can create a Cross Site Scripting.
Consequences: data reading
Provenance: user account
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: multiples sources (3/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 13/11/2008
Microsoft Office SharePoint Portal Server
Microsoft Office SharePoint Server
SharePoint Team Services
Windows SharePoint Services
SharePoint users can upload HTML files on the server.
An attacker, with no access to some information, can therefore invite the victim to read a malicious document which accesses to other documents with victim’s rights.
Identifiers: CVE-2008-5026, VIGILANCE-VUL-8245