MS15-099 - Sharepoint XSS

Recently during a review of Sharepoint, I came across a vulnerability discovered by the Fortinet team and published on their blog here:

https://blog.fortinet.com/post/sharepoint-2013-xss-vulnerability-discovered

The post contained information on what a successful exploit would look like, but provided no final exploit for verification or testing.

After a bit of review, I found the following POC code which, when triggered, shows a simple alert dialog box:

http"http://"http://onmouseover=alert(1);//"

This vulnerability leverages Sharepoint’s ability to automatically create links for an entered URL, for example if entered into a “Notes” field, or “Title” field.