SRC-2020-0020 : Microsoft SharePoint Server ExchangeAutodiscover GetDataFromURL Blind Server-Side Request Forgery Vulnerability



CVSS Score:

8.0, (/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L/E:P/RL:O/RC:C)

Affected Vendors:


Affected Products:

Microsoft SharePoint Server

Vulnerability Details:

This vulnerability allows remote attackers escalate privileges under certain conditions. Authentication is required to exploit this vulnerability.

The specific flaw exists within the AsynchronousWebPartService.GetFreeBusyStatusForOneUser function. The issue results from the lack of proper validation of user-supplied email address when performing web requests. An attacker can leverage this vulnerability to execute arbitrary web requests to protected resources.

Vendor Response:

Microsoft has issued an update to correct this vulnerability. More details can be found at:

Disclosure Timeline:

  • 2020-07-02 – Sent to Microsoft
  • 2020-09-08 – Coordinated public release of advisory


This vulnerability was discovered by Steven Seeley (mr_me) of Qihoo 360 Vulcan Team