CVE-2014-2816
Description
Microsoft SharePoint Server 2013 Gold and SP1 and SharePoint Foundation 2013 Gold and SP1 allow remote authenticated users to gain privileges via a Trojan horse app that executes a custom action in the context of the SharePoint extensibility model, aka "SharePoint Page Content Vulnerability."
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authenticated attacker can execute arbitrary JavaScript in the context of a SharePoint user by uploading a malicious app with a custom action, leading to privilege escalation.
Vulnerability
The vulnerability resides in Microsoft SharePoint Server 2013 Gold and SP1, as well as SharePoint Foundation 2013 Gold and SP1. It allows a specially crafted app that uses a custom action to bypass sanitization, executing arbitrary JavaScript in the context of the current user on the SharePoint site. The issue is known as the "SharePoint Page Content Vulnerability" and is addressed in MS14-050 [1].
Exploitation
An attacker must be an authenticated user with permission to upload apps to a SharePoint site. They create a Trojan horse app containing a custom action with malicious JavaScript. When other users interact with the app, the script executes in their session, allowing the attacker to perform actions on their behalf [1].
Impact
Successful exploitation enables the attacker to run arbitrary JavaScript in the context of the victim user on the current SharePoint site. This can lead to data theft, session hijacking, or other unauthorized actions as the victim, effectively escalating the attacker's privileges [1].
Mitigation
Microsoft released security update MS14-050 on August 12, 2014, which corrects how SharePoint sanitizes specially crafted apps that use custom actions. Users should apply the update via Microsoft Update or manually. No workarounds are documented in the available references [1].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6cpe:2.3:a:microsoft:sharepoint_foundation:2013:-:-:*:gold:*:*:*+ 1 more
- cpe:2.3:a:microsoft:sharepoint_foundation:2013:-:-:*:gold:*:*:*
- cpe:2.3:a:microsoft:sharepoint_foundation:2013:sp1:*:*:*:*:*:*
cpe:2.3:a:microsoft:sharepoint_server:2013:-:-:*:gold:*:*:*+ 1 more
- cpe:2.3:a:microsoft:sharepoint_server:2013:-:-:*:gold:*:*:*
- cpe:2.3:a:microsoft:sharepoint_server:2013:sp1:*:*:*:*:*:*
- Range: ≤ Gold and SP1
- Range: ≤ Gold and SP1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.