CVE-2015-2556

Name of the Vulnerable Software and Affected Versions Microsoft SharePoint Server versions 2007 SP3 through 2010 SP2

Description The issue is related to the improper parsing of Document Type Definitions (DTDs) in XML files by the InfoPath Forms Services component, which can lead to an information disclosure vulnerability. This vulnerability can be exploited by a remote attacker to read arbitrary files on a SharePoint server by using a specially crafted XML document containing an external entity declaration. The attacker must have write permissions to a site and InfoPath Services must be enabled to exploit the vulnerability.

Recommendations For Microsoft SharePoint Server 2007 SP3, update to a version that properly parses DTDs in XML files to prevent exploitation. For Microsoft SharePoint Server 2010 SP2, update to a version that properly parses DTDs in XML files to prevent exploitation. As a temporary workaround, consider disabling the InfoPath Forms Services component until a patch is available.