CVE-2022-38008

FAQ

According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?

The attacker must be authenticated to the target site, with the permission to use Manage Lists within SharePoint.

How could an attacker exploit the vulnerability?

In a network-based attack, an authenticated attacker with Manage List permissions could execute code remotely on the SharePoint Server.

I am running SharePoint Enterprise Server 2013 Service Pack 1. There are multiple updates listed in the Security Updates table. Do I need to install all of these updates?

No. The Cumulative update for SharePoint Enterprise Server 2013 (uberserv2013) includes the update for Foundation Server 2013. Customers running SharePoint Enterprise Server 2013 Service Pack 1 can install the cumulative update or the security update (sts2013), which is the same update as for Foundation Server 2013.

Customers running SharePoint Enterprise Server 2013 Service Pack 1 should also install the wssloc update as it contains language pack updates.

Please note that this is a clarification of the existing servicing model for SharePoint Server 2013 and applies for all previous updates.

I am running SharePoint Foundation Server 2013, SharePoint Enterprise Server 2016, or SharePoint Server 2019. There are multiple updates available for each of these affected versions. Do I need to install all the updates listed in the Security Updates table for these versions?

Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order.