Pasar al contenido principal

2018-003: Stored XSS on M‏icrosoft Word (office 365)

2018-003: Stored XSS on M‏icrosoft Word (office 365)

Discovered by: Fabian Cuchietti


Microsoft Word is a computer program aimed at word processing. It was created by the Microsoft company, and is integrated by default in the office suite called Microsoft Office.


These vulnerabilities allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's computer, and it is stored into the victim application.


1) Open Microsoft Office Word
2) In the menu, we click on the category "Insert"
3) Click on Video Online
4) A popup window will open
5) From code to insert video, here we insert our attack vector: ">Click here
6) The XSS will executed successfully

When a user search an image, generates a link as the following:

The "url" parameter is not properly validated, so an open redirect can be exploited through this parameter.

Only this parameter is mandatory, so we can exclude some parameters in the GET request because not affect the expected results:

How to reproduce the vulnerability:

1. Select the malicious URL
For example:

2. Create the URL redirection to avoid the Google alert message

For example:

3. Encode the URL redirection

For that, we can use some service as "".

For example:

4. Create the final URL without Google alert


An attacker can execute arbitrary HTML or script code in a targeted user's computer, this can leverage to steal sensitive information as user credentials, personal data, etc.


Preventing XSS requires separation of untrusted data from active browser content:

  • The preferred option is to properly escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. See the OWASP XSS Prevention Cheat Sheet for details on the required data escaping techniques.
  • Positive or whitelist server-side input validation is also recommended as it helps protect against XSS, but is not a complete defense as many applications require special characters in their input. Such validation should, as much as possible, validate the length, characters, format, and business rules on that data before accepting the input.
  • For rich content, consider auto-sanitization libraries like OWASPs AntiSamy or the Java HTML Sanitizer Project.
  • Consider Content Security Policy (CSP) to defend against XSS across your entire site.


Feb 02, 2018


  • Jun 16, 2018 : Vulnerability acquired by Internet Security Auditors
  • Jun 16, 2018 : Contact with Microsoft Security Team
  • Jun 20, 2018 : Microsoft feedback
  • Jul 07, 2018 : Vulnerability Disclosure


Consult these external references for further information:


The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.


Internet Security Auditors is a Spain and Colombia based company leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.