
A significant security vulnerability has been discovered and patched in Microsoft SharePoint’s Power Platform connector. The flaw, rated as “Important” by Microsoft, could enable attackers to capture user credentials and execute unauthorized actions within the system.
Key Points:
– The vulnerability affects multiple services including Power Automate, Power Apps, Copilot Studio, and Copilot 365
– Microsoft patched the issue on December 13, following its discovery in September 2024
– The flaw is classified as a server-side request forgery (SSRF) vulnerability
Attack Requirements:
– Attackers need Environment Maker and Basic User roles in Power Platform
– Initial access to the target organization is prerequisite
– Exploitation involves manipulating custom URL values within the SharePoint connector
Potential Impact:
– Unauthorized access to sensitive SharePoint data
– Ability to send API requests impersonating legitimate users
– Possible token harvesting through Canvas apps or Copilot agents
– Extended attack surface through Teams channel integration
The vulnerability highlights significant security concerns within Power Platform’s interconnected services, particularly regarding SharePoint connector usage and access right management across various environments. Organizations using these services should ensure they’ve applied the latest security patches to prevent potential exploitation.