vendor:
SharePoint Server
by:
West Shepherd
7.8
CVSS
HIGH
Remote Code Execution
502
CWE
Product Name: SharePoint Server
Affected Version From: SharePoint Enterprise Server 2013 Service Pack 1
Affected Version To: SharePoint Server 2019
Patch Exists: YES
Related CWE: CVE-2020-1147
CPE: a:microsoft:sharepoint_server:2019
Metasploit:
https://www.rapid7.com/db/vulnerabilities/msft-cve-2020-1147/, https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2020-1147/, https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2020-1147/, https://www.rapid7.com/db/vulnerabilities/microsoft-sharepoint-cve-2020-1147/, https://www.rapid7.com/db/vulnerabilities/oracle_linux-cve-2020-1147/
Other Scripts:
N/A
Platforms Tested: Windows 2016
2020
Microsoft SharePoint Server 2019 – Remote Code Execution
An unauthenticated attacker can exploit a vulnerability in Microsoft SharePoint Server 2019 to execute arbitrary code on the server. The vulnerability exists due to the way SharePoint handles deserialization of user-supplied data. An attacker can send a specially crafted request to the server to exploit the vulnerability and execute arbitrary code on the server.
Mitigation:
Microsoft has released a security update to address this vulnerability. Users are advised to apply the security update as soon as possible.
