According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? Exploitation of the vulnerability requires that a target be lured to and make use of a specially crafted functionality on a SharePoint page created by the attacker. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to use the intended functionality. According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability? The attacker must be authenticated and possess the permissions for page creation to be able to exploit this vulnerability. What is the nature of the spoofing? An authenticated attacker could manipulate a SharePoint page they control to trick targeted users into sending attacker-controlled requests to the server under the permissions context of the target.
malacupa