Login Sign Up

CVE-2021-31948

7.6 HIGH

📋 TL;DR

This vulnerability allows an authenticated attacker to spoof content in Microsoft SharePoint Server, potentially tricking users into interacting with malicious content. It affects SharePoint Server 2019 and SharePoint Server Subscription Edition. Attackers must have authenticated access to the SharePoint site.

💻 Affected Systems

Products:
  • Microsoft SharePoint Server 2019
  • Microsoft SharePoint Server Subscription Edition
Versions: All versions prior to security updates released in June 2021
Operating Systems: Windows Server
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects authenticated users who have permission to create or modify content in SharePoint.

📦 What is this software?

Sharepoint Enterprise Server by Microsoft

View all CVEs affecting Sharepoint Enterprise Server →

Sharepoint Foundation by Microsoft

View all CVEs affecting Sharepoint Foundation →

Sharepoint Server by Microsoft

View all CVEs affecting Sharepoint Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could create convincing phishing pages within SharePoint that appear legitimate, leading to credential theft, malware installation, or data exfiltration when users interact with the spoofed content.

🟠

Likely Case

Attackers with authenticated access could create deceptive pages or content that misleads other SharePoint users, potentially leading to social engineering attacks or unauthorized actions.

🟢

If Mitigated

With proper authentication controls and user awareness training, the impact is limited to authenticated users who can already access the SharePoint environment.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access to SharePoint with content creation/modification permissions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Security updates released in June 2021 (specific KB numbers vary by SharePoint version)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31948

Restart Required: Yes

Instructions:

1. Download the appropriate security update from Microsoft Update Catalog. 2. Apply the update to all SharePoint servers. 3. Restart SharePoint services or the server as required. 4. Test functionality after patching.

🔧 Temporary Workarounds

Restrict Content Creation Permissions

all

Limit which users can create or modify SharePoint content to reduce attack surface

🧯 If You Can't Patch

  • Implement strict access controls to limit who can create/modify SharePoint content
  • Enable detailed auditing of SharePoint content creation and modification activities

🔍 How to Verify

Check if Vulnerable:

Check SharePoint Server version and compare against patched versions from June 2021 security updates

Check Version:

Get-SPFarm | Select BuildVersion (PowerShell on SharePoint server)

Verify Fix Applied:

Verify SharePoint Server has June 2021 security updates installed and version matches patched release

📡 Detection & Monitoring

Log Indicators:

  • Unusual content creation/modification patterns
  • Multiple content changes from single user in short timeframe

Network Indicators:

  • Unusual SharePoint content access patterns

SIEM Query:

source="SharePoint" AND (event="Content Created" OR event="Content Modified") AND user NOT IN [approved_content_creators]

📊 Metadata

CVE ID: CVE-2021-31948
CVSS v3 Score: 7.6 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Published: June 8, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON