A flaw in Microsoft SharePoint could enable an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks.
SharePoint is a web-based, collaborative platform that integrates with Microsoft Office. Launched in 2001, SharePoint is primarily sold as a document management and storage system, but the product is highly configurable and usage varies substantially between organizations. Microsoft states that SharePoint has 160 million users across 75,000 customer organizations.
The vulnerability has been discovered by Ashar Javed (a security researcher) and tracked as (CVE-2017-8514), affects SharePoint’s Follow feature, which enables users to follow sites that interest them. By clicking on the “Follow” button in the top right corner of the page, Users can follow the site.
The issue exists due to an incorrect validation of input processed by the affected software. Attackers could exploit this vulnerability by encouraging a victim to follow a malicious link that is meant to submit malicious input to the affected software.
A successful exploit of this vulnerability could enable the attacker to perform XSS attacks, probably gain access to sensitive browser-based information, or take actions with the privileges of the user in the security context of the affected software.
Microsoft confirmed the vulnerability and released software updates. Microsoft customers can obtain updates directly by using the links in the Microsoft Security Update Guide.