Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
TitleVulnerabilities in Microsoft SharePoint Server Could Allow Elevation of Privilege (3052044)
Informations
NameMS15-036First vendor Publication2015-04-14
VendorMicrosoftLast vendor Modification2015-04-14
Severity (Vendor) ImportantRevision1.0

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Cvss Base Score4.3Attack RangeNetwork
Cvss Impact Score2.9Attack ComplexityMedium
Cvss Expoit Score8.6AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Severity Rating: Important
Revision Note: V1.0 (April 14, 2015): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Office server and productivity software. The vulnerabilities could allow elevation of privilege if an attacker sends a specially crafted request to an affected SharePoint server. An attacker who successfully exploited the vulnerabilities could read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the victim, such as change permissions and delete content, and inject malicious content in the browser of the victim.

Original Source

Url : https://technet.microsoft.com/en-us/library/security/MS15-036

CWE : Common Weakness Enumeration

%idName
100 %CWE-79Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:28523
 
Oval ID: oval:org.mitre.oval:def:28523
Title: Microsoft SharePoint XSS vulnerability – CVE-2015-1653 (MS15-036)
Description: Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Foundation 2013 SP1 and SharePoint Server 2013 SP1 allows remote attackers to inject arbitrary web script or HTML via a crafted request, aka "Microsoft SharePoint XSS Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2015-1653
Version: 3
Platform(s): Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Microsoft Windows 8.1
Product(s): Microsoft SharePoint Foundation 2013
Microsoft SharePoint Server 2013
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:28565
 
Oval ID: oval:org.mitre.oval:def:28565
Title: Microsoft SharePoint XSS vulnerability – CVE-2015-1640 (MS15-036)
Description: Cross-site scripting (XSS) vulnerability in Microsoft Project Server 2010 SP2 and 2013 SP1 allows remote attackers to inject arbitrary web script or HTML via a crafted request, aka "Microsoft SharePoint XSS Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2015-1640
Version: 4
Platform(s): Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Product(s): Microsoft Project Server 2013
Microsoft Project Server 2010
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application2
Application1
Application1

Information Assurance Vulnerability Management (IAVM)

DateDescription
2015-04-16IAVM : 2015-A-0087 - Multiple Vulnerabilities in Microsoft Office SharePoint Server (MS15-036)
Severity : Category II - VMSKEY : V0059889

Snort® IPS/IDS

DateDescription
2014-01-10script tag in URI - likely cross-site scripting attempt
RuleID : 7070 - Revision : 22 - Type : POLICY-OTHER
2015-05-14Microsoft SharePoint projectdetails.aspx ret parameter XSS attempt
RuleID : 34099 - Revision : 3 - Type : SERVER-OTHER
2014-01-10script tag in POST parameters - likely cross-site scripting
RuleID : 21782 - Revision : 9 - Type : INDICATOR-OBFUSCATION

Nessus® Vulnerability Scanner

DateDescription
2015-04-14Name : The remote Windows host is affected by multiple cross-site scripting vulnerab...
File : smb_nt_ms15-036.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
DateInformations
2015-10-18 17:26:31
  • Multiple Updates
2015-05-14 21:26:34
  • Multiple Updates
2015-04-16 05:30:17
  • Multiple Updates
2015-04-15 13:28:35
  • Multiple Updates
2015-04-15 05:31:35
  • Multiple Updates
2015-04-14 21:30:22
  • Multiple Updates
2015-04-14 21:26:09
  • Multiple Updates
2015-04-14 21:16:54
  • First insertion