CVE-2010-0716 — Cross-site Scripting in Microsoft Sharepoint Server

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

3.5LOWNVD

EPSS

4.7%

top 10.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Sharepoint Server

Timeline

PublishedFeb 26

Latest updateMay 2

Description

_layouts/Upload.aspx in the Documents module in Microsoft SharePoint before 2010 uses URLs with the same hostname and port number for a web site's primary files and individual users' uploaded files (aka attachments), which allows remote authenticated users to leverage same-origin relationships and conduct cross-site scripting (XSS) attacks by uploading TXT files, a related issue to CVE-2008-5026. NOTE: the vendor disputes the significance of this issue, because cross-domain isolation can be impl…

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 6.8 | Impact: 2.9

Affected Packages1 packages

▶NVDmicrosoft/sharepoint_server2007+1

🔴Vulnerability Details

GHSA

GHSA-p6qx-pxww-v5xv: _layouts/Upload↗2022-05-02

▶

CVEList

CVE-2010-0716: _layouts/Upload↗2010-02-26

▶