The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Microsoft Windows SharePoint Services

computer vulnerability note CVE-2015-1640 CVE-2015-1653

Microsoft SharePoint: two vulnerabilities XSS

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Microsoft SharePoint.
Impacted products: MOSS.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 14/04/2015.
Identifiers: 3052044, CERTFR-2015-AVI-154, CVE-2015-1640, CVE-2015-1653, MS15-036, VIGILANCE-VUL-16599.

Description of the vulnerability

Several vulnerabilities were announced in Microsoft SharePoint.

An attacker can trigger a Cross Site Scripting, in order to execute JavaScript code in the context of the web site. [severity:2/4; CVE-2015-1640]

An attacker can trigger a Cross Site Scripting, in order to execute JavaScript code in the context of the web site. [severity:2/4; CVE-2015-1653]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2015-1639 CVE-2015-1641 CVE-2015-1649

Microsoft Office: five vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Microsoft Office.
Impacted products: Office, Access, Office Communicator, Excel, OneNote, Outlook, PowerPoint, Project, Publisher, MOSS, Visio, Word.
Severity: 3/4.
Consequences: user access/rights, client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 5.
Creation date: 14/04/2015.
Identifiers: 3048019, CERTFR-2015-AVI-151, CVE-2015-1639, CVE-2015-1641, CVE-2015-1649, CVE-2015-1650, CVE-2015-1651, MS15-033, VIGILANCE-VUL-16596, ZDI-15-132.

Description of the vulnerability

Several vulnerabilities were announced in Microsoft Office.

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-1641]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-1649]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-1650, ZDI-15-132]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-1651]

An attacker can trigger a Cross Site Scripting in Microsoft Outlook App for Mac, in order to execute JavaScript code in the context of the web site. [severity:2/4; CVE-2015-1639]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2015-0085 CVE-2015-0086 CVE-2015-0097

Microsoft Office, SharePoint: five vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Microsoft Office.
Impacted products: Office, Access, Excel, OneNote, Outlook, PowerPoint, Project, Publisher, MOSS, Visio, Word.
Severity: 3/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 5.
Creation date: 10/03/2015.
Identifiers: 3038999, CERTFR-2015-AVI-098, CVE-2015-0085, CVE-2015-0086, CVE-2015-0097, CVE-2015-1633, CVE-2015-1636, MS15-022, VIGILANCE-VUL-16366, ZDI-15-088.

Description of the vulnerability

Several vulnerabilities were announced in Microsoft Office.

An attacker can force the usage of a freed memory area in Office, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-0085, ZDI-15-088]

An attacker can generate a memory corruption in Office, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-0086]

An attacker can generate a memory corruption in Office, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-0097]

An attacker can trigger a Cross Site Scripting in SharePoint, in order to execute JavaScript code in the context of the web site. [severity:2/4; CVE-2015-1633]

An attacker can trigger a Cross Site Scripting in SharePoint, in order to execute JavaScript code in the context of the web site. [severity:2/4; CVE-2015-1636]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2014-6356 CVE-2014-6357

Microsoft Office, Word, SharePoint: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Microsoft Office, Word, SharePoint.
Impacted products: Office, MOSS, Word.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 09/12/2014.
Identifiers: 3017301, CERTFR-2014-AVI-519, CVE-2014-6356, CVE-2014-6357, MS14-081, VIGILANCE-VUL-15765.

Description of the vulnerability

Several vulnerabilities were announced in Microsoft Office, Word, SharePoint.

An attacker can generate an integer overflow, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-6356]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-6357]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2014-4116

Microsoft SharePoint: Cross Site Scripting of List

Synthesis of the vulnerability

An authenticated attacker can trigger a Cross Site Scripting in Microsoft SharePoint, in order to execute JavaScript code in the context of other users.
Impacted products: MOSS.
Severity: 2/4.
Consequences: client access/rights.
Provenance: user account.
Creation date: 12/11/2014.
Identifiers: 3000431, CERTFR-2014-AVI-472, CVE-2014-4116, MS14-073, VIGILANCE-VUL-15619.

Description of the vulnerability

The Microsoft SharePoint product offers a web service.

However, an authenticated used can alter a list, which is then inserted in HTML documents generated for other users.

An authenticated attacker can therefore trigger a Cross Site Scripting in Microsoft SharePoint, in order to execute JavaScript code in the context of other users.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2014-2816

Microsoft SharePoint: privilege escalation via permissions

Synthesis of the vulnerability

An attacker can create an extension of Microsoft SharePoint, in order to gain all privileges of the end user.
Impacted products: MOSS.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights, client access/rights.
Provenance: document.
Creation date: 13/08/2014.
Identifiers: 2977202, CERTFR-2014-AVI-352, CVE-2014-2816, MS14-050, VIGILANCE-VUL-15174.

Description of the vulnerability

The Microsoft SharePoint product offers a web service.

A Share Point site may host extensions, for which access permissions to the core server are defined. However, an extension can bypass restrictions other its actions and inject any JavaScript code into the browser.

An attacker can therefore create an extension of Microsoft SharePoint, in order to gain all privileges of the end user.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2014-0251 CVE-2014-1754 CVE-2014-1813

Microsoft SharePoint: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Microsoft SharePoint.
Impacted products: MOSS.
Severity: 3/4.
Consequences: user access/rights, client access/rights.
Provenance: user account.
Number of vulnerabilities in this bulletin: 3.
Creation date: 13/05/2014.
Identifiers: 2952166, CERTFR-2014-AVI-220, CVE-2014-0251, CVE-2014-1754, CVE-2014-1813, MS14-022, VIGILANCE-VUL-14740.

Description of the vulnerability

Several vulnerabilities were announced in Microsoft SharePoint.

An attacker can send a malicious document to the server, in order to execute code with privileges of the W3WP service. [severity:3/4; CVE-2014-0251]

An attacker can trigger a Cross Site Scripting, in order to execute JavaScript code in the context of the web site. [severity:2/4; CVE-2014-1754]

An attacker can send a malicious document to the server, in order to execute code with privileges of the W3WP service. [severity:3/4; CVE-2014-1813]
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2014-1757 CVE-2014-1758

Office, Word: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Office, Word.
Impacted products: Office, Excel, Outlook, PowerPoint, MOSS, Word.
Severity: 3/4.
Consequences: user access/rights, denial of service on service, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 08/04/2014.
Identifiers: 2949660, CERTFR-2014-AVI-157, CVE-2014-1757, CVE-2014-1758, MS14-017, VIGILANCE-VUL-14553, VU#882841.

Description of the vulnerability

Several vulnerabilities were announced in Office, Word.

An attacker can generate a buffer overflow in the File Format Converter, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-1757, VU#882841]

An attacker can generate a buffer overflow in Word, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-1758]
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2014-1761

Word: memory corruption via RTF

Synthesis of the vulnerability

An attacker can create a malicious RTF file, to generate a memory corruption in Word, in order to trigger a denial of service, and possibly to execute code.
Impacted products: Office, Excel, Outlook, PowerPoint, MOSS, Word.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, denial of service on client.
Provenance: document.
Creation date: 25/03/2014.
Identifiers: 2949660, 2953095, CERTFR-2014-ALE-002, CVE-2014-1761, MS14-017, VIGILANCE-VUL-14464.

Description of the vulnerability

The Word product is configured to open RTF (Rich Text Format) documents. Microsoft Outlook calls by default Word to open RTF emails.

However, a malformed RTF file corrupts the Word memory.

An attacker can therefore create a malicious RTF file, to generate a memory corruption in Word, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2014-0258 CVE-2014-0259 CVE-2014-0260

Word, SharePoint: three vulnerabilities

Synthesis of the vulnerability

An attacker can invite the victim to open a malicious file with Word, or use it with SharePoint, in order to execute code on his computer.
Impacted products: Office, MOSS, Word.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 14/01/2014.
Identifiers: 2916605, BID-64726, BID-64727, BID-64728, CERTA-2014-AVI-014, CVE-2014-0258, CVE-2014-0259, CVE-2014-0260, MS14-001, VIGILANCE-VUL-14084.

Description of the vulnerability

Several vulnerabilities were announced in Word and SharePoint.

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; BID-64726, CVE-2014-0258]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; BID-64727, CVE-2014-0259]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; BID-64728, CVE-2014-0260]

An attacker can therefore invite the victim to open a malicious file with Word, or use it with SharePoint, in order to execute code on his computer.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Microsoft Windows SharePoint Services: