CVE-2022-41036

FAQ

How could an attacker exploit the vulnerability?

In a network-based attack, an authenticated attacker with Manage List permissions could execute code remotely on the SharePoint Server.

According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?

The attacker must be authenticated to the target site, with the permission to use Manage Lists within SharePoint.

I am running SharePoint Enterprise Server 2013 Service Pack 1. Do I need to install both updates that are listed for SharePoint Enterprise Server 2013 Service Pack 1?

No. The Cumulative update for SharePoint Server 2013 includes the update for Foundation Server 2013. Customers running SharePoint Server 2013 Service Pack 1 can install the cumulative update or the security update, which is the same update as for Foundation Server 2013.

Please note that this is a clarification of the existing servicing model for SharePoint Server 2013 and applies for all previous updates.