CVE-2020-1103

CWE-352 — Cross-Site Request Forgery (CSRF)CWE-200 — Information Exposure4 documents4 sources

Severity

6.5MEDIUM

EPSS

8.9%

top 7.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Microsoft Sharepoint Enterprise Server Microsoft Microsoft Sharepoint Foundation Microsoft Microsoft Sharepoint Server +3 more

Timeline

PublishedMay 21

Latest updateMay 24

Description

An information disclosure vulnerability exists where certain modes of the search function in Microsoft SharePoint Server are vulnerable to cross-site search attacks (a variant of cross-site request forgery, CSRF).When users are simultaneously logged in to Microsoft SharePoint Server and visit a malicious web page, the attacker can, through standard browser functionality, induce the browser to invoke search queries as the logged in user, aka 'Microsoft SharePoint Information Disclosure Vulnerabil…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages6 packages

▶NVDmicrosoft/sharepoint_server2019

▶CVEListV5microsoft/microsoft_sharepoint_server2019

▶NVDmicrosoft/sharepoint_enterprise_server2016

▶CVEListV5microsoft/microsoft_sharepoint_enterprise_server2016

▶NVDmicrosoft/sharepoint_foundation2013

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-88wv-c32x-w3h7: An information disclosure vulnerability exists where certain modes of the search function in Microsoft SharePoint Server are vulnerable to cross-site↗2022-05-24

▶

CVEList

CVE-2020-1103: An information disclosure vulnerability exists where certain modes of the search function in Microsoft SharePoint Server are vulnerable to cross-site↗2020-05-21

▶

📋Vendor Advisories

Microsoft

Microsoft SharePoint Information Disclosure Vulnerability↗2020-05-12

▶