CVE-2016-0011

Name of the Vulnerable Software and Affected Versions Microsoft SharePoint Server 2013 SP1 Microsoft SharePoint Foundation 2013 SP1

Description The issue allows remote authenticated users to bypass intended Access Control Policy restrictions. This can be achieved by modifying a webpart, which can lead to cross-site scripting (XSS) attacks. The vulnerability exists due to inadequate protection of the webpage structure, enabling an attacker to circumvent existing access control policies. As a result, an attacker can read unauthorized content, perform actions on the SharePoint site as the user, such as changing permissions, deleting content, and injecting malicious content into the user's browser.

Recommendations For Microsoft SharePoint Server 2013 SP1, ensure Access Control Policy configuration settings are correctly enforced to prevent security feature bypasses. For Microsoft SharePoint Foundation 2013 SP1, apply the same measures as for Microsoft SharePoint Server 2013 SP1 to mitigate the risk of exploitation. As a temporary workaround, consider restricting modifications to webparts until a patch is available.