KLA10604 Multiple vulnerabilities in Microsoft SharePoint

Multiple serious vulnerabilities have been found in Microsoft SharePoint. Malicious users can exploit these vulnerabilities to gain privileges or execute arbitrary code.

Below is a complete list of vulnerabilities

1. XSS vulnerability can be exploited remotely via a specially designed requests;
2. An unknown vulnerabilities can be exploited remotely via a specially designed page content or app.

Original advisories

CVE-2014-2816

CVE-2014-0251

CVE-2014-1754

CVE-2014-1813

CVE-2014-4116

Related products

Microsoft-Sharepoint-Server

CVE list

CVE-2014-2816 critical

CVE-2014-0251 critical

CVE-2014-1754 warning

CVE-2014-1813 critical

CVE-2014-4116 warning

KB list

2837588

2880453

2880536

2863829

2863922

2837598

2880994

2863863

2760236

2752096

2596861

2596763

2977202

2810069

2596902

2863836

2863856

2863854

3000431

2952166

2596810

2837616

Solution

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Impacts

• ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

• PE

Privilege escalation. Exploitation of vulnerabilities with this impact can lead to performing by abuser actions, which are normally disallowed for current role.

Affected Products

• Microsoft Windows SharePoint Services x86, x64 3.0 Service Pack 3Microsoft SharePoint Foundation 2010 Service Pack 1, 2Microsoft SharePoint Foundation 2013Microsoft SharePoint Foundation 2013 Service Pack 1Microsoft SharePoint Server 2013Microsoft SharePoint Server 2013 Service Pack 1 Microsoft Project Server 2010 Service Pack 1, 2Microsoft Project Server 2013 Microsoft Project Server 2013 Service Pack 1Microsoft Web Applications 2010 Service Pack 1, 2Microsoft Office Web Apps Server 2013 Microsoft Office Web Apps Server 2013 Service Pack 1