CVE-2015-2556: Infoleak
First published: Wed Oct 14 2015(Updated: )
The InfoPath Forms Services component in Microsoft SharePoint Server 2007 SP3 and 2010 SP2 misparses DTDs, which allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, aka "Microsoft SharePoint Information Disclosure Vulnerability."
Credit: secure@microsoft.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Microsoft SharePoint Server 2010 | =2007-sp3 | |
| Microsoft SharePoint Server 2010 | =2010-sp2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2015-2556?
CVE-2015-2556 has a severity rating of important according to Microsoft.
How do I fix CVE-2015-2556?
To remediate CVE-2015-2556, apply the security updates provided in Microsoft Security Bulletin MS15-110.
What types of attacks does CVE-2015-2556 expose users to?
CVE-2015-2556 exposes users to XML External Entity (XXE) attacks that can lead to arbitrary file reading.
Which versions of Microsoft SharePoint are affected by CVE-2015-2556?
CVE-2015-2556 affects Microsoft SharePoint Server 2007 SP3 and 2010 SP2.
Can CVE-2015-2556 be exploited remotely?
Yes, CVE-2015-2556 can be exploited remotely by attackers through specially crafted XML documents.
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/author
- agent/last-modified-date
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/microsoft
- canonical/microsoft sharepoint server 2010
- version/microsoft sharepoint server 2010/2007-sp3
- version/microsoft sharepoint server 2010/2010-sp2