Nethanel Gelernter

**Name of the Vulnerable Software and Affected Versions** Microsoft SharePoint Server (affected versions not specified) **Description** An information disclosure issue exists due to certain modes of the search function in Microsoft SharePoint Server being vulnerable to cross-site search attacks, a variant of cross-site request forgery (CSRF). When users are logged in to Microsoft SharePoint Server and visit a malicious web page, an attacker can induce the browser to invoke search queries as the logged-in user. Although the attacker cannot access search results or documents directly, they can determine if a query returned results, allowing them to discover facts about searchable documents for the logged-in user by issuing targeted queries. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.