CVE-2019-1295 — Cross-Site Request Forgery in Microsoft Sharepoint Enterprise Server

CWE-352 — Cross-Site Request Forgery7 documents6 sources

Severity

8.8HIGHNVD

EPSS

37.4%

top 2.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Sharepoint Enterprise Server Microsoft Sharepoint Foundation Microsoft Sharepoint Server +3 more

Timeline

PublishedSep 11

Latest updateMay 24

Description

A remote code execution vulnerability exists in Microsoft SharePoint where APIs aren't properly protected from unsafe data input, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1257, CVE-2019-1296.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages6 packages

▶NVDmicrosoft/sharepoint_server2019

▶NVDmicrosoft/sharepoint_foundation2010, 2013+1

▶CVEListV5microsoft/microsoft_sharepoint_server2019

▶NVDmicrosoft/sharepoint_enterprise_server2016

▶CVEListV5microsoft/microsoft_sharepoint_foundation2010 Service Pack 2, 2013 Service Pack 1+1

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-jqvv-p84x-4w7w: A remote code execution vulnerability exists in Microsoft SharePoint where APIs aren't properly protected from unsafe data input, aka 'Microsoft Share↗2022-05-24

▶

GHSA

CSRF vulnerability in Jenkins warnings Plugin allows remote code execution↗2022-05-24

▶

CVEList

CVE-2019-1295: A remote code execution vulnerability exists in Microsoft SharePoint where APIs aren't properly protected from unsafe data input, aka 'Microsoft Share↗2019-09-11

▶

📋Vendor Advisories

Microsoft

Microsoft SharePoint Remote Code Execution Vulnerability↗2019-09-10

▶