CVE-2020-1100: 
vulnerability analysis and mitigation

A cross-site-scripting (XSS) vulnerability (CVE-2020-1100) exists when Microsoft SharePoint Server does not properly sanitize specially crafted web requests to an affected SharePoint server, also known as 'Microsoft Office SharePoint XSS Vulnerability'. This vulnerability was disclosed on May 21, 2020, and affects multiple versions of SharePoint including SharePoint Enterprise Server 2016, SharePoint Foundation 2013 SP1, SharePoint Server 2010 SP2, and SharePoint Server 2019 (NVD).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 5.4 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability requires network access, low attack complexity, low privileges, and user interaction, with potential impacts to confidentiality and integrity but not availability (NVD).

If successfully exploited, this vulnerability could allow an attacker to execute cross-site scripting attacks against users of affected SharePoint servers. The impact is considered medium severity with potential for information disclosure and integrity compromise through user interaction (NVD).

Microsoft has released security updates to address this vulnerability. The fix is included in the May 2020 security updates for affected SharePoint versions. Organizations should apply the security update KB4484336 for SharePoint Enterprise 2016 and corresponding updates for other affected versions (Microsoft Support).