Published: 13/10/2017 Updated: 20/10/2017
CVSS v2 Base Score: 3.5 | Impact Score: 2.9 | Exploitability Score: 6.8
CVSS v3 Base Score: 5.4 | Impact Score: 2.7 | Exploitability Score: 2.3
VMScore: 312
Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N

Vulnerability Summary

Microsoft SharePoint Enterprise Server 2013 SP1 and Microsoft SharePoint Enterprise Server 2016 allow an malicious user to exploit a cross-site scripting (XSS) vulnerability by sending a specially crafted request to an affected SharePoint server, due to how SharePoint Server sanitizes web requests, aka "Microsoft Office SharePoint XSS Vulnerability". This CVE ID is unique from CVE-2017-11775 and CVE-2017-11820.

Affected Products

Vendor Product Versions
MicrosoftSharepoint Enterprise Server2013, 2016

Recent Articles

It's 2017... And Windows PCs can be pwned via DNS, webpages, Office docs, fonts – and some TPM keys are fscked too
The Register • Shaun Nichols in San Francisco • 10 Oct 2017

But at least there's no Flash update (not this week, anyway)

Microsoft today released patches for more than 60 CVE-listed vulnerabilities in its software. Meanwhile, Adobe is skipping October's Patch Tuesday altogether.
Among the latest holes that need papering over via Windows Update are three vulnerabilities already publicly disclosed – with one being exploited right now by hackers to infect vulnerable machines. That flaw, CVE-2017-11826, is leveraged when a booby-trapped Microsoft Office document is opened, allowing malicious code within it to ...

Microsoft Patches Office Bug Actively Being Exploited
Threatpost • Tom Spring • 10 Oct 2017

Security experts are urging network administrators to patch a Microsoft Office vulnerability that has been exploited in the wild.
The vulnerability (CVE-2017-11826) could allow remote code execution if a user opens a specially crafted Office file. It was one of 62 vulnerabilities patched by Microsoft as part of its monthly Patch Tuesday updates released today. Of those, 23 of  the vulnerabilities are rated critical, 34 rated as important and 33 can result in remote code execution.

Microsoft October Patch Tuesday Fixes 62 Security Issues, Including a Zero-Day
BleepingComputer • Catalin Cimpanu • 10 Oct 2017

Earlier today, Microsoft published the October 2017 Patch Tuesday, the company's monthly update train, addressing important security issues, but also some mundane bugfixes.
This month, the Patch Tuesday updates include fixes for 62 security bugs in applications such as the Windows OS, various Office offerings, Skype for Business, Internet Explorer, Microsoft Edge, and the Chackra Core browser engine.
Of all the bugs, the most important is a zero-day that was publicly disclosed and la...