SB2018111315 - Multiple vulnerabilities in Microsoft Team Foundation Server

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2018-8602)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Authorization bypass (CVE-ID: CVE-2018-8529)

The disclosed vulnerability allows a remote attacker to bypass authorization on the target system.

The vulnerability exists due to Team Foundation Server (TFS) does not enable basic authorization on the communication between the TFS and Search services. A remote attacker can bypass authorization to run certain commands on the Search service and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Remediation

Install update from vendor's website.

References

• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8602
• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8529