This vulnerability results from insufficient input neutralization during web page generation in Microsoft SharePoint. An attacker who has valid credentials can inject malicious scripts that are executed in other users’ browsers, allowing the attacker to impersonate legitimate users or alter the appearance of SharePoint pages. The impact is primarily spoofing, which could be leveraged for social engineering or undisclosed data access within the organization.

The affected products are Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition. No specific patch levels or version numbers beyond these product families are listed.

The CVSS score of 4.6 indicates a moderate severity level. Since the attacker must first be authenticated, the attack vector is limited to users with authorized access, though any such user could act remotely through the web interface. EPSS data is currently unavailable, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no widespread exploitation is known. Nonetheless, an authenticated attacker can exploit the XSS flaw to modify page content for other users, leading to spoofing scenarios that could facilitate further attacks. The risk can be mitigated by applying the official Microsoft security update.