Adrian Johnson
TLDR:
• A PoC exploit has been published for a SharePoint XXE injection vulnerability, allowing threat actors to perform various attacks.
• The vulnerability affects both on-prem and cloud instances of SharePoint.
In a recent discovery, a new XXE (XML eXternal Entity) Injection vulnerability has been found to impact SharePoint, both on on-premises and cloud instances. This vulnerability, assigned to CVE-2024-30043 with a severity rating of 6.3, allows threat actors to read files with SharePoint Farm Service Account permission, perform SSRF attacks, NTLM relaying, and other attacks that XXE can enable, including remote code execution.
The vulnerability arises from flaws in XML fetching and parsing on the BaseXmlDataSource DataSource, which is a base class inheriting from DataSource. Despite seeming secure initially, it was later found that malicious payload execution was possible through a surprising loophole in the XML parsing process.
Microsoft has released a patch for this vulnerability in the Patch Tuesday updates of May 2024. Users are advised to update their SharePoint instances to the latest versions to prevent exploitation by threat actors.
Overall, this XXE injection vulnerability in SharePoint poses a significant risk and highlights the importance of staying updated with security patches to protect against potential attacks.
