CVE-2020-0971: 
vulnerability analysis and mitigation

A remote code execution vulnerability (CVE-2020-0971) exists in Microsoft SharePoint when the software fails to check the source markup of an application package. The vulnerability was discovered and reported to Microsoft in July 2020, and a security update was released in April 2020 (CVE MITRE).

The vulnerability specifically exists within the handling of web parts of type DataFormWebPart. When an attacker specifies a custom DataFormWebPart, it can cause the server to process arbitrary server-side includes. The vulnerability has been assigned a CVSS score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), indicating moderate severity with network attack vector, low complexity, and requiring low privileges (ZDI Advisory).

The successful exploitation of this vulnerability could allow attackers to disclose sensitive information on affected installations of Microsoft SharePoint Server. Specifically, attackers can leverage this vulnerability to disclose stored credentials, which could lead to further system compromise (ZDI Advisory).

Microsoft has released a security update to address this vulnerability. The fix was included in the April 2020 security updates for SharePoint Server 2019 (Microsoft Support).