CVE-2020-0974: 
vulnerability analysis and mitigation

A remote code execution vulnerability (CVE-2020-0974) exists in Microsoft SharePoint when the software fails to check the source markup of an application package. The vulnerability was disclosed on April 14, 2020, affecting Microsoft SharePoint Enterprise Server 2016 and SharePoint Server 2019 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. Under CVSS v2.0, it received a base score of 6.5 (MEDIUM) with the vector (AV:N/AC:L/Au:S/C:P/I:P/A:P). The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD).

If successfully exploited, this vulnerability could allow an attacker to execute remote code on the affected SharePoint server. The high CVSS score indicates potential severe impacts on confidentiality, integrity, and availability of the system (NVD).

Microsoft has released security updates to address this vulnerability. The fix is included in the security update package KB4484299 for SharePoint Enterprise Server 2016. Organizations are advised to apply the security updates as soon as possible (Microsoft Support).