CVE-2020-0920: 
vulnerability analysis and mitigation

A remote code execution vulnerability (CVE-2020-0920) exists in Microsoft SharePoint when the software fails to check the source markup of an application package. The vulnerability was disclosed and patched on April 14, 2020, affecting multiple versions of SharePoint including SharePoint Enterprise Server 2016, SharePoint Foundation 2010 SP2, SharePoint Foundation 2013 SP1, and SharePoint Server 2019 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and requiring low privileges. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code in the context of the SharePoint application pool and SharePoint server farm account. The high CVSS score indicates potential severe impacts on confidentiality, integrity, and availability of the affected systems (NVD).

Microsoft has released security updates to address this vulnerability. The fix is included in the April 14, 2020 security update for affected SharePoint versions. Organizations are advised to apply the security update KB4484299 for SharePoint Enterprise Server 2016 and corresponding updates for other affected versions (Microsoft Support).