CVE-2020-1460 in SharePoint Enterprise Server
Summary
by MITRE
<p>A remote code execution vulnerability exists in Microsoft SharePoint Server when it fails to properly identify and filter unsafe ASP.Net web controls. An authenticated attacker who successfully exploited the vulnerability could use a specially crafted page to perform actions in the security context of the SharePoint application pool process.</p> <p>To exploit the vulnerability, an authenticated user must create and invoke a specially crafted page on an affected version of Microsoft SharePoint Server.</p> <p>The security update addresses the vulnerability by correcting how Microsoft SharePoint Server handles processing of created content.</p>
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/24/2026
The vulnerability described in CVE-2020-1460 represents a critical remote code execution flaw within Microsoft SharePoint Server that stems from inadequate validation of ASP.NET web controls. This weakness falls under the CWE-79 category of Cross-Site Scripting, specifically manifesting as an insufficient input validation issue that allows malicious actors to inject unsafe code into web applications. The vulnerability exists in the server's failure to properly sanitize and filter potentially dangerous web controls, creating an attack surface that can be exploited by authenticated users with sufficient privileges to create and execute malicious content within the SharePoint environment.
The technical exploitation of this vulnerability requires an authenticated attacker to leverage the SharePoint Server's content creation capabilities to craft and deploy specially designed pages that contain malicious ASP.NET controls. When these crafted pages are processed by the SharePoint application pool, the unsafe controls are executed within the security context of the application pool process, potentially allowing attackers to escalate privileges and execute arbitrary code with elevated permissions. This represents a serious privilege escalation vector that could enable attackers to gain unauthorized access to sensitive data and system resources within the SharePoint infrastructure.
The operational impact of CVE-2020-1460 extends beyond simple code execution, as it provides attackers with the ability to perform actions that are normally restricted to authorized users within the SharePoint environment. This vulnerability can be exploited to establish persistent access, exfiltrate confidential information, modify content, and potentially use the compromised SharePoint server as a pivot point to attack other systems within the network. The attack requires only an authenticated user account, making it particularly dangerous as it can be exploited by insiders or compromised legitimate users, and the exploitation process is relatively straightforward once the attacker has access to the SharePoint content creation functionality.
Microsoft has addressed this vulnerability through a security update that modifies how SharePoint Server processes created content, specifically enhancing the validation and filtering mechanisms for ASP.NET web controls. Organizations should immediately implement this patch to remediate the vulnerability and prevent potential exploitation. Additional mitigations include implementing proper access controls, monitoring content creation activities, and employing network segmentation to limit the potential impact of successful exploitation. The vulnerability aligns with ATT&CK technique T1059.001 for command and scripting interpreter, as it enables attackers to execute malicious code through the SharePoint application pool context, and T1078.004 for valid accounts, since exploitation requires legitimate authenticated access to create and execute malicious content within the SharePoint environment.