CVE-2020-0924: 
vulnerability analysis and mitigation

A cross-site-scripting (XSS) vulnerability (CVE-2020-0924) exists when Microsoft SharePoint Server does not properly sanitize specially crafted web requests to an affected SharePoint server. The vulnerability was disclosed on April 15, 2020, affecting multiple versions of SharePoint including SharePoint Enterprise Server 2016, SharePoint Foundation 2013 SP1, and SharePoint Server 2019 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability requires network access, low attack complexity, low privileges, and user interaction. The scope is changed with low confidentiality and integrity impact, and no availability impact. Under CVSS v2.0, it received a base score of 3.5 (Low) with vector (AV:N/AC:M/Au:S/C:N/I:P/A:N) (NVD).

The vulnerability could allow an attacker to perform cross-site scripting attacks by sending specially crafted web requests to an affected SharePoint server. If successful, the attacker could potentially execute arbitrary script in the context of the user's session (NVD).

Microsoft has released security updates to address this vulnerability. The fixes are available through Microsoft Update, Microsoft Update Catalog, and Microsoft Download Center. For SharePoint Server 2019, the security update package is KB4484292, and for SharePoint Enterprise Server 2016, the update package is KB4484299 (Microsoft Support).