[Forgot Password]
Login  Register Subscribe

24547

 
 

132804

 
 

129935

 
 

909

 
 

106980

 
 

152

Paid content will be excluded from the download.


Download | Alert*
OVAL

Azure DevOps Server and Team Foundation Server Cross-site Scripting Vulnerability - CVE-2019-0866

ID: oval:org.secpod.oval:def:54256Date: (C)2019-04-11   (M)2018-12-13
Class: VULNERABILITYFamily: windows




A Cross-site Scripting (XSS) vulnerability exists when Azure DevOps Server and Team Foundation Server do not properly sanitize user provided input. An authenticated attacker could exploit the vulnerability by sending a specially crafted payload to an Azure DevOps server or a Team Foundation server, which will get executed in the context of the user every time a user visits the compromised page. The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, execute malicious code, and use the victim's identity to take actions on the site on behalf of the user, such as change permissions and delete content.

Platform:
Microsoft Windows 10
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Microsoft Windows Server 2016
Microsoft Windows Server 2019
Product:
Azure DevOps Server 2019
Microsoft Visual Studio Team Foundation Server 2015 Update 4.2
Microsoft Visual Studio Team Foundation Server 2018 Update 1.2
Microsoft Visual Studio Team Foundation Server 2018 Update 3.2
Microsoft Visual Studio Team Foundation Server 2017 Update 3.1
Reference:
CVE-2019-0866
CVE    1
CVE-2019-0866
CPE    8
cpe:/a:microsoft:visual_studio_team_foundation_server:2018
cpe:/a:microsoft:visual_studio_team_foundation_server:2018:u3.2
cpe:/a:microsoft:visual_studio_team_foundation_server:2017:u3.1
cpe:/a:microsoft:visual_studio_team_foundation_server:2015
...

© SecPod Technologies