CVE-2024-30043: Abusing URL Parsing Confusion To Exploit XXE On Sharepoint Server And Cloud


Yes, the title is right. This blog covers an XML eXternal Entity (XXE) injection vulnerability that the author found in SharePoint.

The bug was recently patched by Microsoft. In general, XXE vulnerabilities are not very exciting in terms of discovery and related technical aspects. They may sometimes be fun to exploit and exfiltrate data (or do other nasty things) in real environments, but in the vulnerability research world, you typically find them, report them, and forget about them. So why the author is writing a blog post about an XXE? They have two reasons: 1. It affects SharePoint, both on-prem and cloud instances, which is a nice target. This vulnerability can be exploited by a low-privileged user. 2. This is one of the craziest XXEs that they have ever seen (and found), both in terms of vulnerability discovery and the method of triggering.

Read more…
Source: Zero Day Initiative


Sign up for our Newsletter


Related:

  • Kurat võtku! Estonia identifies security risk in almost 750,000 ID cards

    September 5, 2017

    The Estonian government has discovered a security risk in its ID card system, potentially affecting almost 750,000 residents. “When notified, Estonian authorities immediately took precautionary measures, including closing the public key database, in order to minimise the risk while the situation can be fully assessed and a solution developed,” according to an email by Kaspar Korjus, ...

  • Alert: AT&T customers with Arris modems at risk of remote hacking, claim infosec bods

    September 1, 2017

    Infosec consulting firm Nomotion has reported vulnerabilities in Arris broadband modems and which it says are trivial to exploit, and could affect nearly 140,000 devices. The report claims the modems carry hard-coded credentials, serious since a firmware update turned on SSH by default. That would let a remote attacker access the modem’s cshell service and take a ...

  • FDA Recalls Nearly Half a Million Pacemakers Over Hacking Fears

    August 31, 2017

    Almost half a million people in the United States are highly recommended to get their pacemakers updated, as they are vulnerable to hacking. The Food and Drug Administration (FDA) has recalled 465,000 pacemakers after discovering security flaws that could allow hackers to reprogram the devices to run the batteries down or even modify the patient’s heartbeat, ...

  • Intel ME controller chip has secret kill switch

    August 29, 2017

    Security researchers at Moscow-based Positive Technologies have identified an undocumented configuration setting that disables Intel Management Engine 11, a CPU control mechanism that has been described as a security risk. Intel’s ME consists of a microcontroller that works with the Platform Controller Hub chip, in conjunction with integrated peripherals. It handles much of the data travelling between ...

  • VoIP bods Fuze defuse triple whammy of portal security vulnerabilities

    August 23, 2017

    Messaging provider Fuze has resolved a trio of vulnerabilities in its TPN Handset Portal. The access controls and authentication flaws, discovered by security tools firm Rapid7, created a means for hackers to obtain personal data about Fuze users ranging from phone numbers to email addresses and access credentials. Once seized through brute-force attacks, this sensitive data could ...

  • Simple Exploit Allows Attackers to Modify Email Content — Even After It’s Sent!

    August 23, 2017

    Security researchers are warning of a new, easy-to-exploit email trick that could allow an attacker to turn a seemingly benign email into a malicious one after it has already been delivered to your email inbox. Dubbed Ropemaker (stands for Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky), the trick was uncovered by Francisco Ribeiro, the researcher at email and ...