Forum Discussion

Copper Contributor

Aug 10, 2017

Found Stored Cross Site Scripting (XSS) vulnerability in SharePoint 2013

Hi @all, having penetrated our local SP 2013 farm we now have to deal with a Stored Cross Site Scripting Vulnerability which was found by the pentesters. What they did: Creating a new task e...

sharepoint server

MVP

Aug 14, 2017

What patch level is the farm at? In addition, any vulnerabilities should be reported to MSRC team for proper attention or to CERT - http://www.kb.cert.org/vuls/ (or both). You can report security vulnerabilities to MSRC here - https://technet.microsoft.com/en-us/security/ff852094.

Sven Engel
Copper Contributor
Aug 15, 2017
Hi Trevor,

thanks for your post. uner kb.cert.org/vuls our vulnerability is not listed. At the moment I try to get the correct malicious code from our pentester to report the security vulnerability as clear as possible.

Our SP 2013 Farm and Win server have the all security paches installed until July 2017 and SP CU June 2017 ist installed too.
What is the right approach for us to verify this pentest finding?

1) https://technet.microsoft.com/en-us/security/ff852094.
2) open a Microsoft Case

At the moment my intention is option 1 because I don't believe we have done a failure in our SP configuration.
- Trevor Seward
  MVP
  Aug 15, 2017
  Option 1, but that said, I can't reproduce your scenario. I created a Task list, entered "<script>alert(document.cookie);</script>" as the task item name, saved it and nothing was produced when viewing the Task list or the individual item.
  - Sven Engel
    Copper Contributor
    Aug 16, 2017
    At the moment I wait for the exact Code String from our pentester to reporduce the attack. I'll post it here and would kindly ask you to try it again.
    
    Thans in advance.

Resources