CVE-2023-23395

FAQ

I am running SharePoint Foundation 2013 Service Pack 1. Do I need to install all the updates that are listed for SharePoint Foundation 2013 Service Pack 1 ?

Yes, customers running SharePoint Foundation 2013 Service Pack 1 should install both of the security updates. The updates can be installed in any order.

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment of the targeted component.

According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of integrity (I:L)? What does that mean for this vulnerability?

The user would need to access the URL of the malicious website, which could spoof the content of a legitimate website, and then click a popup displayed on that site.

According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of integrity (I:L)? What does that mean for this vulnerability?

The attacker is only able to modify the content of the vulnerable link to redirect the victim to a malicious site.

I am running SharePoint Enterprise Server 2013 Service Pack 1. Do I need to install all the updates that are listed for SharePoint Enterprise Server 2013 Service Pack 1?

No. Customers running SharePoint Enterprise Server 2013 Service Pack 1 should install either of the following:

• Cumulative update (ubersrv13). Note that this update also includes the *srvloc2013 update
• Both of the security updates (sts2013 AND *loc2013), which are the same updates as for Foundation Server 2013

Please note that this is a clarification of the existing servicing model for SharePoint Server 2013 and applies for all previous updates.