CVE-2020-0695 in Office Online Server
Summary
by MITRE
A spoofing vulnerability exists when Office Online Server does not validate origin in cross-origin communications correctly, aka 'Microsoft Office Online Server Spoofing Vulnerability'.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/11/2025
The CVE-2020-0695 vulnerability represents a critical cross-origin resource sharing (CORS) validation flaw in Microsoft Office Online Server that enables malicious actors to exploit improper origin validation mechanisms. This vulnerability resides within the server's handling of cross-origin communications where it fails to properly verify the originating source of requests, creating a pathway for attackers to craft deceptive responses that appear legitimate to client applications. The flaw specifically affects Office Online Server versions that process cross-origin requests without adequate origin checking, allowing adversaries to manipulate the server's response handling behavior.
This security gap manifests as a spoofing vulnerability that operates at the application layer, specifically targeting the server-side validation logic that should enforce strict origin controls for cross-origin requests. The vulnerability stems from the server's failure to implement proper CORS policy enforcement, where it accepts requests from untrusted origins without sufficient validation. According to CWE-346, this represents a weakness in origin validation that enables cross-site request forgery attacks, while the ATT&CK framework categorizes this under T1566 - Phishing and T1071.004 - Application Layer Protocol: DNS to establish persistent deception mechanisms. The technical implementation flaw lies in the server's HTTP request processing where it does not adequately verify the origin header or implement proper access control policies for cross-origin resource sharing.
The operational impact of this vulnerability extends beyond simple spoofing, as it can enable attackers to manipulate Office Online Server responses to redirect users to malicious sites, inject false content, or harvest sensitive information from authenticated sessions. When exploited, the vulnerability allows adversaries to bypass the normal security boundaries that should prevent unauthorized cross-origin communications, potentially leading to credential theft, session hijacking, or data exfiltration. The attack surface includes any user interaction with Office Online Server that involves cross-origin requests, particularly affecting document sharing, collaboration features, and web-based Office applications. Organizations running affected Office Online Server versions face significant risk of unauthorized access and data compromise, especially in environments where users interact with external web services or collaborate across different domains.
Mitigation strategies for CVE-2020-0695 should prioritize immediate deployment of Microsoft's security patches and updates that address the CORS validation flaw. Network administrators should implement additional security controls including strict CORS policy enforcement, origin header validation, and web application firewalls that can detect and block malformed cross-origin requests. The solution approach aligns with security best practices outlined in NIST SP 800-53 and ISO 27001 frameworks, specifically focusing on access control and network security controls. Organizations should also consider implementing monitoring solutions that can detect anomalous cross-origin request patterns and establish proper incident response procedures for potential exploitation attempts. Additionally, administrators should review and harden the server's CORS configuration to ensure only explicitly trusted origins can communicate with the Office Online Server, reducing the attack surface and preventing unauthorized cross-origin resource access that could lead to broader system compromise.