CVE-2019-0874 — Azure DevOps Server Cross-site Scripting Vulnerability

Executive Summary

A Cross-site Scripting (XSS) vulnerability exists when Azure DevOps Server does not properly sanitize user provided input. An authenticated attacker could exploit the vulnerability by sending a specially crafted payload to the Team Foundation Server, which will get executed in the context of the user every time a user visits the compromised page. The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, execute malicious code, and use the victim's identity to take actions on the site on behalf of the user, such as change permissions and delete content. The security update addresses the vulnerability by ensuring that Azure DevOps Server sanitizes user inputs.

Overview

Important

MS Severity

Not Exploited

MS Exploit Status

Less Likely

MS Exploit Likelihood

Category Spoofing

Released Apr 9 2019

Last Updated Apr 9 2019

Publicly Disclosed No

CISA KEV Not Listed

Known Exploits None Known

EPSS Score 0.01983 — 0.77979 percentile

EPSS Score

0.01983

probability of exploitation in the next 30 days

0.77979 percentile - updated 2026-06-20

View on FIRST.org

Affected Products

1 affected product

Product	KB Article	Severity	Impact	Restart Required
Azure DevOps Server 2019	`Release Notes (Security Update)`	Important	Spoofing	Maybe

Patches

1 patch

Article	Type	Restart
`Release Notes`	Security Update	Maybe

Known Exploits

No known exploits have been linked for this CVE yet. When available, exploit references will be sourced from public repositories and may be unverified, incomplete, or non-functional. Always review code carefully before use in any environment.

Acknowledgments

Wesley Wineberg

References

MSRC Advisory MITRE NVD