The proof-of-concept code was released just over two weeks after security consultancy High-Tech Bridge says it disclosed the issue to Microsoft.
Although Microsoft hasn't said much about the seriousness of the bug, security experts worry that hackers could exploit the flaw in order to steal sensitive corporate information used by SharePoint customers, who use the software for building Web portals and collaborating on internal projects.
High-Tech Bridge discovered what is known as a cross-site scripting flaw in SharePoint. If the attacker can get a SharePoint user to click on a link, the bug lets the attacker essentially take control of the user's account.
"With a little bit of insider knowledge you can send a link to a SharePoint user, and if you can cross-site script them, you can do data exfiltration on whatever their account has access to," said Jeremiah Grossman, chief technology officer with Web security consultancy WhiteHat Security.
"Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data," High-Tech Bridge said in a note posted with its code. The company could not be reached immediately for comment.
Even if attackers could take control of a user's account, they might still have a hard time getting data outside of the corporate network, said Thierry Zoller, a principal security consultant with Verizon Business. "It is currently unclear whether there are means to exfiltrate documents over this attack vector," he said via instant message.
Microsoft has reproduced the bug on its internal systems and is now working on a security advisory that will include more information on the bug and what customers can do to secure their systems, said Jerry Bryant, a Microsoft security program manager in an e-mail message.
Two weeks isn't much time to fix a big, especially one that was disclosed the day before Microsoft's monthly security updates, but High-Tech Bridge says that it automatically discloses vulnerability details two weeks after notifying the vendor.
The company could not be immediately reached for comment.