Sharepoint online cross-site scripting vulnerability

Affected Product: SharePoint online
Credits: Vulnerability discovered by Claudio Cinquino

Executive Summary

Using a specially crafted HTTP request, it is possible to exploit a lack in the neutralization of the pages output which includes the user submitted content.

Successful exploitation of the vulnerabilities, results in the execution of arbitrary HTML and javascript code in user’s browser in context of the vulnerable SharePoint trough a “Reflected XSS”

Proof of Concept

An authenticated user with editor privileges can have the possibility to insert malicious code (html/javascript) and run it later.

The Reflected XSS vulnerability was discovered in the Microsoft Forms Module.

The authenticated editor user can create a new module with Microsoft forms and with a specially crafted payload it can execute arbitrary javascript code.

Disclosure Timeline

13/02/2019 – Vulnerability Discovered
13/02/2019 – Initial vendor notification
06/05/2019 – The vendor fixed the vulnerability
20/05/2019 – The vendor published Online Service Acknowledgements

References

[1] https://portal.msrc.microsoft.com/en-us/security-guidance/researcher-acknowledgments-online-services (April 2019)