Forum Discussion

Sven Engel's avatar
Sven Engel
Copper Contributor
Aug 10, 2017

Found Stored Cross Site Scripting (XSS) vulnerability in SharePoint 2013

Hi @all,   having penetrated our local SP 2013 farm we now have to deal with a Stored Cross Site Scripting Vulnerability which was found by the pentesters.   What they did: Creating a new task e...
security
sharepoint server
XSS
Sven Engel's avatar
Sven Engel
Copper Contributor
Aug 15, 2017

Hi Trevor,

thanks for your post. uner kb.cert.org/vuls our vulnerability is not listed. At the moment I try to get the correct malicious code from our pentester to report the security vulnerability as clear as possible.

 

Our SP 2013 Farm and Win server have the all security paches installed until July 2017 and SP CU June 2017 ist installed too.
What is the right approach for us to verify this pentest finding?

1) https://technet.microsoft.com/en-us/security/ff852094. 

2) open a Microsoft Case

 

At the moment my intention is option 1 because I don't believe we have done a failure in our SP configuration.

Trevor Seward's avatar
Trevor Seward
MVP
Aug 15, 2017
Option 1, but that said, I can't reproduce your scenario. I created a Task list, entered "<script>alert(document.cookie);</script>" as the task item name, saved it and nothing was produced when viewing the Task list or the individual item.
  • Sven Engel's avatar
    Sven Engel
    Copper Contributor
    Aug 16, 2017

    At the moment I wait for the exact Code String from our pentester to reporduce the attack. I'll post it here and would kindly ask you to try it again.

     

    Thans in advance.

Resources