Azure DevOps Server HTML Injection Vulnerability - CVE-2019-0869ID: oval:org.secpod.oval:def:54259 | Date: (C)2019-04-11 (M)2021-06-02 |
Class: VULNERABILITY | Family: windows |
A spoofing vulnerability that could allow a security feature bypass exists in when Azure DevOps Server does not properly sanitize user provided input. An attacker who exploited the vulnerability could trick a user into loading a page containing malicious content. An authenticated attacker could exploit the vulnerability by sending a specially crafted payload to the Azure DevOps Server, which would get executed in the context of the user every time a user visits the compromised page. To exploit the bypass, an attacker can leverage any external source in the script-src to embed malicious script by bypassing Content Security Policy (CSP).
Platform: |
Microsoft Windows 10 |
Microsoft Windows Server 2012 |
Microsoft Windows Server 2012 R2 |
Microsoft Windows Server 2016 |
Microsoft Windows Server 2019 |
Product: |
Azure DevOps Server 2019 |