CVE-2020-1460
Description
A remote code execution vulnerability exists in Microsoft SharePoint Server when it fails to properly identify and filter unsafe ASP.Net web controls. An authenticated attacker who successfully exploited the vulnerability could use a specially crafted page to perform actions in the security context of the SharePoint application pool process. To exploit the vulnerability, an authenticated user must create and invoke a specially crafted page on an affected version of Microsoft SharePoint Server. The security update addresses the vulnerability by correcting how Microsoft SharePoint Server handles processing of created content.
Risk Information
Base Score
8.7
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L/E:P/RL:O/RC:C
EPSS Score
Exploitation Probability
4.724
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Microsoft SharePoint Server Remote Code Execution Vulnerability for Microsoft SharePoint Foundation 2013 (KB4484488) | Windows |
| Microsoft SharePoint Spoofing Vulnerability for Microsoft SharePoint Foundation 2010 (KB4486667) | Windows |
| Microsoft Word Remote Code Execution Vulnerability for Microsoft SharePoint Enterprise Server 2016 (KB4484506) | Windows |
| Microsoft SharePoint Server Tampering Vulnerability for Microsoft SharePoint Enterprise Server 2013 (KB4484515) | Windows |
Patch Details
Click to see the patches provided by ManageEngine for this CVE
| Patch ID | Patch Description |
|---|---|
| PATCH-29848 | Security Update for Microsoft SharePoint Foundation 2013 (KB4484488) |
| PATCH-29862 | Security Update for Microsoft SharePoint Enterprise Server 2016 (KB4484506) |
| PATCH-29847 | Security Update for Microsoft SharePoint Enterprise Server 2013 (KB4484515) |
References
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234