Login Sign Up

CVE-2023-36891

8.0 HIGH
Cross-Site Scripting

📋 TL;DR

This vulnerability allows an attacker to inject malicious scripts into Microsoft SharePoint Server, which could execute when viewed by other users. It affects organizations running vulnerable SharePoint Server versions, potentially enabling cross-site scripting attacks.

💻 Affected Systems

Products:
  • Microsoft SharePoint Server
Versions: Specific versions as listed in Microsoft advisory (check vendor URL for exact ranges)
Operating Systems: Windows Server
Default Config Vulnerable: ⚠️ Yes
Notes: Affects SharePoint Server installations with web access enabled. Exact version details require checking Microsoft's advisory.

📦 What is this software?

Sharepoint Server by Microsoft

View all CVEs affecting Sharepoint Server →

Sharepoint Server by Microsoft

View all CVEs affecting Sharepoint Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users, potentially leading to data theft or account compromise.

🟠

Likely Case

Attackers would typically use this to steal user credentials or session tokens, enabling unauthorized access to SharePoint content and functionality.

🟢

If Mitigated

With proper input validation and output encoding controls, the risk is significantly reduced, though patching remains essential.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation typically requires some level of user interaction or access to inject malicious content.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft's monthly security updates for SharePoint Server

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36891

Restart Required: Yes

Instructions:

1. Apply the latest security update from Microsoft's Patch Tuesday releases. 2. Restart SharePoint services. 3. Verify the update was successful.

🔧 Temporary Workarounds

Input Validation Enhancement

windows

Implement strict input validation and output encoding for user-supplied content in SharePoint.

🧯 If You Can't Patch

  • Restrict user permissions to minimize who can post content to SharePoint.
  • Implement web application firewall (WAF) rules to block common XSS payloads.

🔍 How to Verify

Check if Vulnerable:

Check SharePoint Server version against Microsoft's security bulletin for CVE-2023-36891.

Check Version:

In SharePoint Central Administration, navigate to 'Upgrade and Migration' > 'Check product and patch installation status'.

Verify Fix Applied:

Verify that the SharePoint Server version is updated to a patched release as specified by Microsoft.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to SharePoint pages with script-like content in parameters.
  • Errors related to input validation failures in SharePoint logs.

Network Indicators:

  • HTTP requests containing suspicious script tags or JavaScript in URL parameters or form data.

SIEM Query:

source="sharepoint_logs" AND (http_method="POST" AND (uri="*aspx*" OR uri="*ashx*") AND (content="*<script>*" OR content="*javascript:*"))

📊 Metadata

CVE ID: CVE-2023-36891
CVSS v3 Score: 8.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-79
Published: August 8, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36891, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)