CVE-2023-21717

FAQ

According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?

The attacker must be authenticated to the target site, with the permission to use Manage Lists within SharePoint.

How could an attacker exploit the vulnerability?

In a network-based attack, an authenticated attacker with Manage List permissions could execute code remotely on the SharePoint Server.

I am running SharePoint Enterprise Server 2013 Service Pack 1. Do I need to install all the updates that are listed for SharePoint Enterprise Server 2013 Service Pack 1?

No. Customers running SharePoint Enterprise Server 2013 Service Pack 1 should install either of the following:

• Cumulative update (ubersrv13). Note that this update also includes the *srvloc2013 update
• Both of the security updates (sts2013 AND *loc2013), which are the same updates as for Foundation Server 2013

Please note that this is a clarification of the existing servicing model for SharePoint Server 2013 and applies for all previous updates.

I am running SharePoint Foundation 2013 Service Pack 1. Do I need to install all the updates that are listed for SharePoint Foundation 2013 Service Pack 1 ?

Yes, customers running SharePoint Foundation 2013 Service Pack 1 should install both of the security updates. The updates can be installed in any order.