• Consulting
  • Information Security
  • Networking
  • Software Development
  • R&D
  • SharePoint Online Cross-Site Scripting vulnerability


    Affected Product: SharePoint online
    Credits: Vulnerability discovered by Claudio Cinquino

    Executive Summary

    Using a specially crafted HTTP request, it is possible to exploit a lack in the neutralization of the pages output which includes the user submitted content.

    Successful exploitation of the vulnerabilities, results in the execution of arbitrary HTML and javascript code in user’s browser in context of the vulnerable SharePoint trough a “Reflected XSS”

    Proof of Concept

    An authenticated user with editor privileges can have the possibility to insert malicious code (html/javascript) and run it later.

    The Reflected XSS vulnerability was discovered in the Microsoft Forms Module.

    The authenticated editor user can create a new module with Microsoft forms and with a specially crafted payload it can execute arbitrary javascript code.

    Disclosure Timeline

    13/02/2019 – Vulnerability Discovered
    13/02/2019 – Initial vendor notification
    06/05/2019 – The vendor fixed the vulnerability
    20/05/2019 – The vendor published Online Service Acknowledgements


    [1] https://portal.msrc.microsoft.com/en-us/security-guidance/researcher-acknowledgments-online-services (April 2019)

    Claudio Cinquino

    Claudio Cinquino

    Security Auditor at Quantum Leap s.r.l.
    Claudio Cinquino