CVE-2020-1573
📋 TL;DR
This is a cross-site scripting (XSS) vulnerability in Microsoft SharePoint Server where authenticated attackers can inject malicious scripts through specially crafted web requests. Successful exploitation allows attackers to perform actions as the victim user, including reading unauthorized content, modifying permissions, deleting content, and injecting malicious content. Only authenticated users can exploit this vulnerability.
💻 Affected Systems
- Microsoft SharePoint Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could gain administrative privileges, exfiltrate sensitive data, delete or modify all SharePoint content, and maintain persistent access through backdoors.
Likely Case
An authenticated user with limited privileges could escalate their access, steal session cookies, modify content they shouldn't have access to, and perform phishing attacks against other users.
If Mitigated
With proper input validation and output encoding, the risk is reduced to minimal, though authenticated users could still attempt exploitation.
🎯 Exploit Status
Exploitation requires authenticated access to SharePoint and knowledge of XSS payloads. No public exploit code was found at time of advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Security update released August 2020
Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1573
Restart Required: Yes
Instructions:
1. Download the security update from Microsoft Update Catalog. 2. Apply the update to all affected SharePoint servers. 3. Restart the SharePoint servers. 4. Test functionality after patching.
🔧 Temporary Workarounds
Input Validation Enhancement
windowsImplement additional input validation for SharePoint web requests
Content Security Policy
allImplement strict Content Security Policy headers to limit script execution
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads
- Restrict authenticated user permissions to minimum required levels
🔍 How to Verify
Check if Vulnerable:
Check SharePoint version and compare against patched versions in Microsoft advisoryCheck Version:
Get-SPFarm | Select BuildVersionVerify Fix Applied:
Verify security update is installed via Windows Update history or SharePoint version check📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests with script tags or JavaScript payloads
- Multiple failed authentication attempts followed by successful login and suspicious requests
Network Indicators:
- HTTP requests containing script tags or JavaScript in parameters
- Unusual outbound connections from SharePoint servers
SIEM Query:
source="sharepoint" AND (http_request="*<script*" OR http_request="*javascript:*" OR http_request="*onload=*" OR http_request="*onerror=*")