CVE-2015-2556

Microsoft SharePoint Server 2007 SP3 and 2010 SP2 - XML External Entity Injection in InfoPath Forms Services

Title source: llm
STIX 2.1

Description

The InfoPath Forms Services component in Microsoft SharePoint Server 2007 SP3 and 2010 SP2 misparses DTDs, which allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, aka "Microsoft SharePoint Information Disclosure Vulnerability."

References (2)

Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1033804

Scores

EPSS 0.1562
EPSS Percentile 96.4%

Details

CWE
CWE-200
Status published
Products (2)
microsoft/sharepoint_server 2007 sp3
microsoft/sharepoint_server 2010 sp2
Published Oct 14, 2015
Tracked Since Feb 18, 2026