Detections
Analytics

Security Updates for Microsoft Team Foundation Server (June 2020)

medium Nessus Plugin ID 137270

Language:

Synopsis

The Microsoft Team Foundation Server is affected by an HTML injection vulnerability.

Description

The Microsoft Team Foundation Server is missing security updates. It is, therefore, affected by an HTML injection vulnerability due to not properly sanitizing user inputs. An unauthenticated, remote attacker can exploit this to perform script or content injection attacks, which could trick a user into disclosing sensitive information.

Solution

Microsoft has released the following updates to address these issues:
 - Team Foundation Server 2017 Update 3.1 with patch 11
 - Team Foundation Server 2018 Update 3.2 with patch 11
 - Azure DevOps Server 2019 Update 0.1 with patch 6
 - Azure DevOps Server 2019 Update 1.1 with patch 3

Please refer to the vendor guidance to determine the version and patch to apply.

See Also

http://www.nessus.org/u?f6ee4c5f

Plugin Details

Severity: Medium

ID: 137270

File Name: smb_nt_ms20_jun_team_foundation_server.nasl

Version: 1.4

Type: local

Agent: windows

Published: 6/9/2020

Updated: 3/11/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2020-1327

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:microsoft:azure_devops_server, cpe:/a:microsoft:visual_studio_team_foundation_server

Required KB Items: SMB/MS_Bulletin_Checks/Possible

Exploit Ease: No known exploits are available

Patch Publication Date: 6/9/2020

Vulnerability Publication Date: 6/9/2020

Reference Information

CVE: CVE-2020-1327