Tag Archives: ReflectedXSS

May "In the Trend of VM" (#27): high-profile vulnerabilities in Linux, ActiveMQ, SharePoint, and Adobe Acrobat Reader

Leave a reply

May In the Trend of VM (#27): high-profile vulnerabilities in Linux, ActiveMQ, SharePoint, and Adobe Acrobat Reader

May "In the Trend of VM" (#27): high-profile vulnerabilities in Linux, ActiveMQ, SharePoint, and Adobe Acrobat Reader. Presenting the traditional monthly roundup of trending vulnerabilities according to Positive Technologies. While the previous April edition featured only one vulnerability, this one includes four, covering different technologies and attack scenarios.

🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)

🔻 EoP - Linux Kernel "Copy Fail" (CVE-2026-31431). The vulnerability allows an attacker to gain root privileges.

🔻 RCE - Apache ActiveMQ (CVE-2026-34197). A vulnerability in a solution widely used in enterprise systems and integration platforms.

🔻 Spoofing - Microsoft SharePoint Server (CVE-2026-32201). A vulnerability in a Microsoft solution widely used in enterprise systems for collaboration, document management, and internal portal development.

🔻 RCE - Adobe Reader (CVE-2026-34621). A vulnerability in a widely used PDF document viewer; actively exploited in phishing attacks.

🟥 The full list of trending vulnerabilities is available on the portal

Про уязвимость Spoofing - Microsoft SharePoint Server (CVE-2026-32201)

Leave a reply

Про уязвимость Spoofing - Microsoft SharePoint Server (CVE-2026-32201)

About Spoofing - Microsoft SharePoint Server (CVE-2026-32201) vulnerability. A vulnerability from the April Microsoft Patch Tuesday. The description provided by Microsoft experts is extremely vague: "Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network. An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability)." Spoofing is an attack in which a threat actor forges data, an address, an identifier, or a trusted source in order to impersonate a legitimate user, service, or system.

What is actually hidden behind this description? In the April review on MSPT, a ZDI expert noted that vulnerabilities of this kind in SharePoint are often associated with XSS attacks.

🛠 On April 23, an exploit was published on GitHub, whose author claims that the vulnerability can be summarized as follows: "An unauthenticated attacker can send a specially crafted HTTP request to inject malicious JavaScript (reflected XSS), which executes in the security context of the SharePoint site."

In other words, the attacker sends a specially crafted request to the SharePoint server, causing SharePoint to generate a malicious link on behalf of a trusted source. The attacker then passes this link to the user. When the user opens such a link, the injected malicious JavaScript executes in the context of SharePoint, which can be used to steal data from the current session, intercept authentication tokens, as well as perform actions on behalf of the user through the user's active session.

👾 Microsoft experts noted the vulnerability as being exploited in the wild on the day of publication of the April Microsoft Patch Tuesday, April 14. The vulnerability was added to the CISA KEV. On the same day, researchers from Defused reported coordinated reconnaissance activity targeting vulnerable SharePoint servers, which was carried out from four IP addresses between April 1 and April 11.

⚙️ Updates are available for Microsoft SharePoint Server 2016, 2019, and Subscription Edition.