An authenticated user can launch an administrator level remote code execution irrespective of the authenticated user's role. An attacker can exploit this vulnerability to access sensitive information, launch administrator level remote code execution, or perform other actions as an administrator. This vulnerability can be exploited via a remote attacker via a crafted request. Applications that accept user-supplied data or that operate with user level privileges require input validation. These applications must validate the received input before using it. If an application does not validate the received input, it might allow attackers to conduct reflected cross site scripting attacks, conduct injection attacks, or perform other attacks as an administrator.

Vulnerability overview

A vulnerability in Microsoft SharePoint Server allows an authenticated user to launch an administrator level remote code execution irrespective of the authenticated user's role. An attacker can exploit this vulnerability to access sensitive information, launch administrator level remote code execution or perform other actions as an administrator. This vulnerability is exposed via a remote attacker via a crafted request. Applications that accept user-supplied data or that operate with user level privileges require input validation. These applications must validate the received input before using it. If an application does not validate the received input, it might allow attackers to conduct reflected cross site scripting attacks, conduct injection attacks, or perform other attacks as an administrator.
This vulnerability was discovered by Matt Miller and can be found in CVE-2022-3388

Vulnerability Analysis

This vulnerability is caused when the application does not validate input before using it. A remote attacker is able to exploit this vulnerability to access sensitive information, launch Administrator level remote code execution or perform other actions as an administrator. This vulnerability can be exploited via a remote attacker via a crafted request. Applications that accept user-supplied data or that operate with user level privileges require input validation. These applications must validate the received input before using it. If an application does not validate the received input, it might allow attackers to conduct reflected cross site scripting attacks, conduct injection attacks, or perform other attacks as an administrator

Timeline

Published on: 11/21/2022 19:15:00 UTC
Last modified on: 12/08/2022 15:26:00 UTC

References