CVE-2020-1439

CWE-502 — Deserialization of Untrusted Data4 documents4 sources

Severity

8.8HIGH

EPSS

31.2%

top 3.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Microsoft Sharepoint Enterprise Server Microsoft Microsoft Sharepoint Foundation Microsoft Microsoft Sharepoint Server +3 more

Timeline

PublishedJul 14

Latest updateMay 24

Description

A remote code execution vulnerability exists in PerformancePoint Services for SharePoint Server when the software fails to check the source markup of XML file input, aka 'PerformancePoint Services Remote Code Execution Vulnerability'.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages6 packages

▶NVDmicrosoft/sharepoint_server2010, 2019+1

▶CVEListV5microsoft/microsoft_sharepoint_server2010 Service Pack 2, 2019+1

▶NVDmicrosoft/sharepoint_enterprise_server2013, 2016+1

▶CVEListV5microsoft/microsoft_sharepoint_enterprise_server2013 Service Pack 1, 2016+1

▶NVDmicrosoft/sharepoint_foundation2013

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-7vrg-q6mv-3q9x: A remote code execution vulnerability exists in PerformancePoint Services for SharePoint Server when the software fails to check the source markup of↗2022-05-24

▶

CVEList

CVE-2020-1439: A remote code execution vulnerability exists in PerformancePoint Services for SharePoint Server when the software fails to check the source markup of↗2020-07-14

▶

📋Vendor Advisories

Microsoft

PerformancePoint Services Remote Code Execution Vulnerability↗2020-07-14

▶