Important 2018-12 archive

Executive Summary

A Cross-site Scripting (XSS) vulnerability exists when Windows Azure Pack does not properly sanitize user-provided input. An authenticated attacker could exploit the vulnerability by sending a specially crafted payload to the web interface, which will get executed in the context of the user every time a user visits the compromised page. The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, execute malicious code, and use the victim's identity to take actions on the site on behalf of the user, such as change permissions and delete content. The security update addresses the vulnerability by ensuring that Windows Azure Pack sanitizes user inputs.

Overview

Important
MS Severity
Not Exploited
MS Exploit Status
Not Found
MS Exploit Likelihood
Category Remote Code Execution
Released Dec 11 2018
Last Updated Dec 11 2018
Publicly Disclosed No
CISA KEV Not Listed
Known Exploits None Known

EPSS Score

No EPSS score available for this CVE.

View on FIRST.org

Affected Products

1 affected product
Product KB Article Severity Impact Restart Required
Windows Azure Pack Rollup 13.1 4480788 (Security Update) Important Remote Code Execution Maybe

Patches

1 patch
Article Type Restart
4480788 Security Update Maybe

Known Exploits

Acknowledgments

Cedric Van Bockhaven on behalf of KPN