Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

msrc логотип

CVE-2018-8580

Опубликовано: 11 дек. 2018
Источник: msrc
EPSS Низкий

Описание

Microsoft SharePoint Information Disclosure Vulnerability

An information disclosure vulnerability exists where certain modes of the search function in Microsoft SharePoint Server are vulnerable to cross-site search attacks (a variant of cross-site request forgery, CSRF).

When users are simultaneously logged in to Microsoft SharePoint Server and visit a malicious web page, the attacker can, through standard browser functionality, induce the browser to invoke search queries as the logged in user. While the attacker can’t access the search results or documents as such, the attacker can determine whether the query did return results or not, and thus by issuing targeted queries discover facts about documents that are searchable for the logged-in user.

The security update addresses the vulnerability by running the search queries in a way that doesn’t expose them to this browser vulnerability.

FAQ

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is Personally Identifiable Information (PII).

Обновления

ПродуктСтатьяОбновление
Microsoft SharePoint Foundation 2010 Service Pack 2
4461580
Security Update
Microsoft SharePoint Enterprise Server 2016
4461541
Security Update
Microsoft SharePoint Enterprise Server 2013 Service Pack 1
4461549
Security Update

Показывать по

Возможность эксплуатации

Publicly Disclosed

No

Exploited

No

Latest Software Release

Exploitation Unlikely

Older Software Release

Exploitation Unlikely

EPSS

Процентиль: 93%
0.09597
Низкий

Связанные уязвимости

nvd логотип

CVE-2018-8580

CVSS3: 4.3
nvd
около 7 лет назад

An information disclosure vulnerability exists where certain modes of the search function in Microsoft SharePoint Server are vulnerable to cross-site search attacks (a variant of cross-site request forgery, CSRF), aka "Microsoft SharePoint Information Disclosure Vulnerability." This affects Microsoft SharePoint.

github логотип

GHSA-phxm-v2jv-4gg8

CVSS3: 4.3
github
больше 3 лет назад

An information disclosure vulnerability exists where certain modes of the search function in Microsoft SharePoint Server are vulnerable to cross-site search attacks (a variant of cross-site request forgery, CSRF), aka "Microsoft SharePoint Information Disclosure Vulnerability." This affects Microsoft SharePoint.

fstec логотип

BDU:2019-00061

CVSS3: 3.1
fstec
около 7 лет назад

Уязвимость функции поиска программной платформы Microsoft .NET Framework, позволяющая нарушителю получить доступ к конфиденциальной информации

EPSS

Процентиль: 93%
0.09597
Низкий