CVE-2020-0926: 
vulnerability analysis and mitigation

A cross-site-scripting (XSS) vulnerability (CVE-2020-0926) exists when Microsoft SharePoint Server does not properly sanitize specially crafted web requests to an affected SharePoint server. The vulnerability was disclosed on April 15, 2020, affecting multiple versions of SharePoint including SharePoint Enterprise Server 2013 SP1, SharePoint Enterprise Server 2016, and SharePoint Server 2019 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability requires network access, low attack complexity, low privileges, and user interaction. The scope is changed with low confidentiality and integrity impact, and no availability impact. Under CVSS v2.0, it received a base score of 3.5 (Low) with vector (AV:N/AC:M/Au:S/C:N/I:P/A:N) (NVD).

The vulnerability could allow an attacker to perform cross-site scripting attacks by sending specially crafted web requests to an affected SharePoint server. If successful, the attacker could potentially execute arbitrary script in the context of the user's session (NVD).

Microsoft has released security updates to address this vulnerability. The fixes are included in the April 14, 2020 security updates for affected SharePoint versions. Organizations should apply the security update 4484292 for SharePoint Server 2019, security update 4484299 for SharePoint Enterprise Server 2016, or the appropriate update for their SharePoint version (Microsoft Support).