CVE-2020-0978: 
vulnerability analysis and mitigation

A cross-site-scripting (XSS) vulnerability identified as CVE-2020-0978 affects Microsoft SharePoint Server. The vulnerability exists when the server fails to properly sanitize specially crafted web requests to affected SharePoint servers. This vulnerability was disclosed on April 15, 2020, and is also known as 'Microsoft Office SharePoint XSS Vulnerability'. The affected systems include SharePoint Enterprise Server 2016, SharePoint Foundation 2013 SP1, and SharePoint Server 2019 (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. Under CVSS v2.0, it received a Base Score of 3.5 (LOW) with the vector (AV:N/AC:M/Au:S/C:N/I:P/A:N). The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD).

The vulnerability could allow an attacker to execute cross-site scripting attacks by sending specially crafted web requests to an affected SharePoint server. This could potentially lead to unauthorized disclosure of information and compromise of user sessions (NVD).

Microsoft has released security updates to address this vulnerability. The fix is included in the April 14, 2020 security update for affected SharePoint Server versions (Microsoft Support).