Impact
The flaw originates from improper neutralization of input during web page generation, classified as CWE‑79 (cross‑site scripting). When the SharePoint server renders content to users, malicious input can be injected into the page, causing browsers to execute unintended scripts. This can lead attackers to display spoofed content or redirect users to malicious sites, effectively deceiving users over the network.
Affected Systems
Affected products are Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition. Exact version numbers are not listed in the CVE data, so all listed product lines are considered impacted.
Risk and Exploitability
The CVSS score of 8.1 indicates high severity. The EPSS score of 1% suggests a low current likelihood of exploitation, and the vulnerability is not listed in the Center for Internet Security's Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that the likely attack vector is a remote web‑based XSS where an attacker supplies untrusted input to a SharePoint page that is rendered to other users. The risk remains significant for environments that expose SharePoint sites to untrusted input or users with elevated privileges.
OpenCVE Enrichment