Security Update for Microsoft Power BI Report Server (November 2021)

critical Nessus Plugin ID 155143

Synopsis

The remote host has an application installed that is missing a security update.

Description

A Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability exists when Power BI Report Server Template file (pbix) containing HTML files is uploaded to the server and HTML files are accessed directly by the victim.

Combining these 2 vulnerabilities together, an attacker is able to upload malicious Power BI templates files to the server using the victim's session and run scripts in the security context of the user and perform privilege escalation in case the victim has admin privileges when the victim access one of the HTML files present in the malicious Power BI template uploaded.

The security update addresses the vulnerability by helping to ensure that Power BI Report Server properly sanitize file uploads.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade Power BI Report Server to version 15.0.1107.165 or later.

See Also

http://www.nessus.org/u?2ec061fe

Plugin Details

Severity: Critical

ID: 155143

File Name: smb_nt_ms21_nov_powerbi.nasl

Version: 1.6

Type: local

Agent: windows

Family: Windows

Published: 11/11/2021

Updated: 11/28/2024

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-41372

CVSS v3

Risk Factor: Critical

Base Score: 9.6

Temporal Score: 8.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:microsoft:power_bi_report_server

Required KB Items: installed_sw/Microsoft Power BI Report Server

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/9/2021

Vulnerability Publication Date: 11/9/2021

Reference Information

CVE: CVE-2021-41372

MSFT: MS21-5007903

MSKB: 5007903