what you don't know can hurt you

Microsoft Azure DevOps Server 2020.0.1 Cross Site Scripting

Microsoft Azure DevOps Server 2020.0.1 Cross Site Scripting
Posted Apr 14, 2021
Authored by M. Li | Site sec-consult.com

Microsoft Azure DevOps Server version 2020.0.1 suffers from a cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2021-28459
MD5 | 4994087ae5636e46cc4be43cc0c489f6

Microsoft Azure DevOps Server 2020.0.1 Cross Site Scripting

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20210414-0 >
=======================================================================
title: Reflected cross-site scripting
product: Microsoft Azure DevOps Server
vulnerable version: 2020.0.1
fixed version: 2020.0.1 Patch 2
CVE number: CVE-2021-28459
impact: medium
homepage: https://azure.microsoft.com/en-us/services/devops/server/
found: 2021-03-03
by: M. Li (Office Munich)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult, an Atos company
Europe | Asia | North America

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"What is Azure DevOps Server?
Collaborative software development tools for the entire team

Previously known as Team Foundation Server (TFS), Azure DevOps Server is a set
of collaborative software development tools, hosted on-premises.
Azure DevOps Server integrates with your existing IDE or editor, enabling
your
cross-functional team to work effectively on projects of all sizes."

Source: https://azure.microsoft.com/en-us/services/devops/server/


Business recommendation:
------------------------
SEC Consult recommends upgrading to the latest available version which patches
the security issues.

An in-depth security analysis performed by security professionals is advised,
as the software may be affected from further security issues.


Vulnerability overview/description:
-----------------------------------
1) Reflected cross-site scripting
The process template function with the collection settings allows uploading of
a zip file, from which the name of the template is taken and returned to the
browser. This variable is not sanitized, leading to a reflected cross-site
scripting vulnerability.


Proof of concept:
-----------------
1) Reflected cross-site scripting
An authenticated user with privileges to upload project files can access the
Collection Settings of one project. Under the Process function, it is possible
to upload a process template in form of a zip file, which can be obtained
by
downloading an existing template. According to the template structure, the
ProcessTemplate.xml file should contain a name, in which the XSS payload is
injected as below:

```
<ProcessTemplate>
<metadata>
<name>XSS here: <img src=x onerror=alert(document.URL)></name>
<description>This template is flexible and will work great</description>
<version type="aa12a345-00a0-1f11-ba00-b12345b12345" major="1" minor="0" />
<plugins>
```

Soon after the upload, a message is returned to the user, stating the process
template has been renamed to the malicious one with the XSS payload. At this
point, the injected JavaScript will get executed, showing a pop-up window
with
the URL in this case.

In reality, an attacker might send a malicious zip file to administrators
and
trick them into uploading it, thus achieving to compromise their account.


Vulnerable / tested versions:
-----------------------------
The following version has been tested, which was the most recent one at the
time of the test:
- 2020.0.1


Vendor contact timeline:
------------------------
2021-03-08: Contacting vendor through MSRC portal, case number 64141 is auto-assigned.
2021-03-09: Vendor informed that the investigation be started.
2021-04-01: Vendor informed that a fix has been completed and will be released as part
of April Patch Tuesday. CVE-2021-28459 has been assigned to the issue.
2021-04-13: Vendor released the patch.
2021-04-14: Public release of the security advisory.


Solution:
---------
The patch is available at:
https://docs.microsoft.com/en-us/azure/devops/server/release-notes/azuredevops2020?view=azure-devops&branch=releasenotes%2Fmarchpatch#azure-devops-server-202001-patch-2-release-date-march-9-202


Workaround:
-----------
None


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Atos ​company. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF M. Li / @2021

Login or Register to add favorites

File Archive:

May 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    1 Files
  • 2
    May 2nd
    4 Files
  • 3
    May 3rd
    26 Files
  • 4
    May 4th
    17 Files
  • 5
    May 5th
    3 Files
  • 6
    May 6th
    32 Files
  • 7
    May 7th
    11 Files
  • 8
    May 8th
    2 Files
  • 9
    May 9th
    2 Files
  • 10
    May 10th
    13 Files
  • 11
    May 11th
    17 Files
  • 12
    May 12th
    22 Files
  • 13
    May 13th
    11 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    0 Files
  • 17
    May 17th
    0 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close