KB 3137909: Vulnerabilities in ASP.NET Templates Could Allow Tampering

medium Nessus Plugin ID 88699

Synopsis

The remote Windows host has ASP.NET templates that are affected by a cross-site request forgery vulnerability.

Description

The remote Windows host has a version of Visual Studio installed that has ASP.NET MVC5 or ASP.NET MVC6 project templates that are affected by a cross-site request forgery (XSRF) vulnerability. ASP.NET projects built from these templates will be affected by the XSRF vulnerability.

Solution

Microsoft has released a patch for the Visual Studio 2015 ASP.NET project templates for MVC5 and MVC6. For Visual Studio 2013, you must manually update the templates as referenced in the vendor advisory.

See Also

http://www.nessus.org/u?7b2a43f2

http://www.nessus.org/u?04aaa19c

http://www.nessus.org/u?346322b4

Plugin Details

Severity: Medium

ID: 88699

File Name: smb_nt_kb3137909.nasl

Version: 1.5

Type: local

Agent: windows

Family: Windows

Published: 2/11/2016

Updated: 6/27/2022

Supported Sensors: Nessus Agent, Nessus

Risk Information

CVSS Score Rationale: Score based on analysis of the vendor advisory.

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: manual

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

Vulnerability Information

CPE: cpe:/a:microsoft:visual_studio

Required KB Items: SMB/MS_Bulletin_Checks/Possible, installed_sw/Microsoft Visual Studio

Patch Publication Date: 2/9/2016

Vulnerability Publication Date: 2/9/2016