CVE-2019-1332 — Microsoft SQL Server Reporting Services XSS Vulnerability
Executive Summary
A cross-site scripting (XSS) vulnerability exists when Microsoft SQL Server Reporting Services (SSRS) does not properly sanitize a specially-crafted web request to an affected SSRS server. An attacker who successfully exploited the vulnerability could run scripts in the context of the targeted user. The attacks could allow the attacker to read content that the attacker is not authorized to read, execute malicious code, and use the victim's identity to take actions on the site on behalf of the user, such as change permissions and delete content. To exploit the vulnerability, an attacker would need to convince an authenticated user to click a specially-crafted link to an affected SSRS server. The update addresses the vulnerability by correcting SSRS URL sanitization.
Overview
EPSS Score
Affected Products
| Product | KB Article | Severity | Impact | Restart Required |
|---|---|---|---|---|
| Microsoft SQL Server 2016 for x64-based Systems Service Pack 2 (CU) | 4535706 (Security Update) |
Important | Spoofing | Maybe |
| Microsoft SQL Server 2016 for x64-based Systems Service Pack 2 (GDR) | 4532097 (Security Update) |
Important | Spoofing | Maybe |
| Power BI Report Server | Release Notes (Security Update) |
Important | Spoofing | Maybe |
| SQL Server 2017 Reporting Services | Release Notes (Security Update) |
Important | Spoofing | Maybe |
| SQL Server 2019 Reporting Services | Release Notes (Security Update) |
Important | Spoofing | Maybe |
Patches
| Article | Type | Restart |
|---|---|---|
4535706 |
Security Update | Maybe |
4532097 |
Security Update | Maybe |
Release Notes |
Security Update | Maybe |
Known Exploits
Acknowledgments
Matei "Mal" Badanoiu