OnlyFm252
Azure DevOps

CVE-2019-1076 — Team Foundation Server Cross-site Scripting Vulnerability

Important EPSS 0.01627 2019-07 archive

Executive Summary

A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input. An authenticated attacker could exploit the vulnerability by sending a specially crafted payload to the Team Foundation Server, which will get executed in the context of the user every time a user visits the compromised page. The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, execute malicious code, and use the victim's identity to take actions on the site on behalf of the user, such as change permissions and delete content. The security update addresses the vulnerability by ensuring that Team Foundation Server sanitizes user inputs.

Overview

Important
MS Severity
Not Exploited
MS Exploit Status
Less Likely
MS Exploit Likelihood
Category Spoofing
Released Jul 9 2019
Last Updated Jul 9 2019
Publicly Disclosed No
CISA KEV Not Listed
Known Exploits None Known
EPSS Score 0.01627 — 0.73061 percentile

EPSS Score

0.01627
probability of exploitation in the next 30 days
0.73061 percentile - updated 2026-06-20
View on FIRST.org

Affected Products

2 affected products
Product KB Article Severity Impact Restart Required
Azure DevOps Server 2019.0.1 Release Notes (Security Update) Release Notes (Security Update) Important Spoofing Maybe
Team Foundation Server 2018 Update 3.2 Release Notes (Security Update) Release Notes (Security Update) Important Spoofing Maybe

Patches

1 patch
Article Type Restart
Release Notes (Security Update) Release Notes Security Update Maybe

Known Exploits

Acknowledgments

John Mogensen of Microsoft Corporation

On This Page