CVE-2020-0973: 
vulnerability analysis and mitigation

A cross-site-scripting (XSS) vulnerability exists in Microsoft SharePoint Server when it fails to properly sanitize specially crafted web requests to affected SharePoint servers, identified as CVE-2020-0973. This vulnerability was disclosed on April 14, 2020, and affects multiple versions of SharePoint Server including SharePoint Server 2010 SP2, SharePoint Enterprise Server 2013 SP1, SharePoint Enterprise Server 2016, and SharePoint Server 2019 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability requires network access, low attack complexity, low privileges, and user interaction. The scope is changed, with low impact on confidentiality and integrity, but no impact on availability (NVD).

The vulnerability could allow an attacker to perform cross-site scripting attacks when SharePoint Server fails to properly sanitize web requests. This could potentially lead to unauthorized disclosure of information or execution of arbitrary scripts in the context of the user's session (NVD).

Microsoft has released security updates to address this vulnerability. The fixes are included in the April 14, 2020 security updates for affected SharePoint Server versions. Organizations are advised to apply these security updates through Microsoft Update, Microsoft Update Catalog, or Microsoft Download Center (Microsoft Support).