Security Updates for Microsoft Team Foundation Server and Azure DevOps Server (July 2020)

medium Nessus Plugin ID 138472
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The Microsoft Team Foundation Server is affected by a cross-site scripting (XSS) vulnerability.

Description

The Microsoft Team Foundation Server or Azure DevOps Server is missing security updates. It is, therefore, affected by a cross-site scripting (XSS) vulnerability due to not properly sanitizing user-provided input. An authenticated, remote attacker can exploit this by sending a specially-crafted payload to the TFS or Azure DevOps server, which will get executed in the context of the user every time a user visits the compromised page.

Solution

Microsoft has released the following updates to address these issues:
- Team Foundation Server 2018 Update 3.2 with patch 12
- Azure DevOps Server 2019 Update 0.1 with patch 7
- Azure DevOps Server 2019 Update 1.1 with patch 4

Please refer to the vendor guidance to determine the version and patch to apply.

See Also

http://www.nessus.org/u?a7db314e

Plugin Details

Severity: Medium

ID: 138472

File Name: smb_nt_ms20_jul_team_foundation_server.nasl

Version: 1.4

Type: local

Agent: windows

Published: 7/14/2020

Updated: 3/11/2021

Dependencies: microsoft_team_foundation_server_installed.nasl, smb_hotfixes.nasl, ms_bulletin_checks_possible.nasl

Risk Information

CVSS Score Source: CVE-2020-1326

VPR

Risk Factor: Low

Score: 3

CVSS v2

Risk Factor: Low

Base Score: 3.5

Temporal Score: 2.6

Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:microsoft:azure_devops_server, cpe:/a:microsoft:visual_studio_team_foundation_server

Required KB Items: SMB/MS_Bulletin_Checks/Possible

Exploit Ease: No known exploits are available

Patch Publication Date: 7/14/2020

Vulnerability Publication Date: 7/14/2020

Reference Information

CVE: CVE-2020-1326