id: CVE-2020-16952 info: name: Microsoft SharePoint Server-Side Include (SSI) and ViewState RCE author: dwisiswant0 severity: critical description: A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-16951. reference: | - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952 - https://srcincite.io/pocs/cve-2020-16952.py.txt - https://github.com/rapid7/metasploit-framework/blob/1a341ae93191ac5f6d8a9603aebb6b3a1f65f107/documentation/modules/exploit/windows/http/sharepoint_ssi_viewstate.md tags: cve,cve2020,sharepoint,iis requests: - method: GET path: - "{{BaseURL}}" matchers-condition: and matchers: - type: regex regex: - "15\\.0\\.0\\.(4571|5275|4351|5056)" - "16\\.0\\.0\\.(10337|10364|10366)" # - "16.0.10364.20001" condition: or part: body - type: word words: - "MicrosoftSharePointTeamServices" part: header - type: status status: - 200 - 201 condition: or