Detections
Analytics
Azure DevOps Server 2022 XSS
high Nessus Plugin ID 178029
Language:
Synopsis
The Microsoft Team Foundation Server or Azure DevOps is affected by a cross-site scripting vulnerability.Description
The Microsoft Team Foundation Server or Azure DevOps install is missing security updates. It is, therefore, affected by a cross-site scripting vulnerability. An attacker who successfully exploited the vulnerability could access data that is available for the current user. Depending on the user's authorization the attacker could collect detailed data about ADO elements such as org/proj configuration, users, groups, teams, projects, pipelines, board, or wiki. An attacker could also craft page elements to collect user secrets.Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Microsoft has released Azure DevOps Server 2022 Patch 2 to address this issue.Please refer to the vendor guidance to determine the version and patch to apply.
See Also
Plugin Details
Severity: High
ID: 178029
File Name: smb_nt_ms23_feb_team_foundation_server_2022_patch2.nasl
Version: 1.1
Type: local
Agent: windows
Family: Windows
Published: 7/7/2023
Updated: 7/10/2023
Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 5.0
CVSS v2
Risk Factor: High
Base Score: 7.5
Temporal Score: 6.2
Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:P/A:N
CVSS Score Source: CVE-2023-21564
CVSS v3
Risk Factor: High
Base Score: 7.1
Temporal Score: 6.6
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C
Vulnerability Information
CPE: cpe:/o:microsoft:azure_devops_server, cpe:/a:microsoft:visual_studio_team_foundation_server
Required KB Items: installed_sw/Microsoft Team Foundation Server
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 2/14/2023
Vulnerability Publication Date: 2/14/2023
Reference Information
CVE: CVE-2023-21564