A critical Local File Inclusion (LFI) vulnerability was recently discovered in Microsoft 365’s Export to PDF functionality, potentially allowing attackers to access sensitive server-side data, including configuration files, database credentials, and application source code. The security implications of this vulnerability extended beyond simple file disclosure, potentially exposing Microsoft secrets, database connection strings, application source code, and, in multi-tenant environments, cross-tenant data exposure scenarios. Local File Inclusion (LFI) flaw in Microsoft 365's Export to PDF feature allowed attackers to access sensitive server-side files. Gianluca Bald discovered the vulnerability during a client web application assessment, where a file conversion feature transformed documents into PDF format through Microsoft 365 SharePoint integration. This flaw exploited an undocumented behavior in Microsoft Graph APIs that enabled HTML-to-PDF conversion with embedded file inclusion capabilities. The vulnerability, reported by security researcher Gianluca Baldi and subsequently patched by Microsoft, earned a $3,000 bounty reward for its significant impact on enterprise security. This Local File Inclusion vulnerability effectively bypassed standard security controls and file access restrictions. Microsoft patched the vulnerability after security researcher Gianluca Baldi reported it through their bug bounty program. The exploitation process involved embedding malicious HTML tags such as <embed>, <object>, and <iframe> within HTML content to force local file inclusion during PDF conversion. This conversion process lacked proper input validation and file path restrictions, enabling path traversal attacks that could access files outside the server’s designated root directory.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 09 Jul 2025 13:20:13 +0000