SharePoint Online Cross-Site Scripting vulnerability

Affected Product: SharePoint online
Credits: Vulnerability discovered by Claudio Cinquino

Executive Summary

Using a specially crafted HTTP request, it is possible to exploit a lack in the neutralization of the pages output which includes the user submitted content.

Successful exploitation of the vulnerabilities, results in the execution of arbitrary HTML and javascript code in users browser in context of the vulnerable SharePoint trough a Reflected XSS

Proof of Concept

An authenticated user with editor privileges can have the possibility to insert malicious code (html/javascript) and run it later.

The Reflected XSS vulnerability was discovered in the Microsoft Forms Module.

The authenticated editor user can create a new module with Microsoft forms and with a specially crafted payload it can execute arbitrary javascript code.

 

Disclosure Timeline

13/02/2019 Vulnerability Discovered
13/02/2019 Initial vendor notification
06/05/2019 The vendor fixed the vulnerability
20/05/2019 The vendor published Online Service Acknowledgements