Microsoft Power BI Report Server cross site scripting [CVE-2019-1332]

A vulnerability was found in Microsoft Power BI Report Server, SQL Server 2017 Reporting Services and SQL Server 2019 Reporting Services (Database Software) (the affected version is unknown). It has been declared as problematic. This vulnerability affects an unknown function. The manipulation with an unknown input leads to a cross site scripting vulnerability. The CWE definition for the vulnerability is CWE-80. As an impact it is known to affect integrity. An attacker might be able to inject arbitrary html and script code into the web site. This would alter the appearance and would make it possible to initiate further attacks against site visitors.

The weakness was published 12/10/2019 as confirmed security update guide (Website). The advisory is shared for download at portal.msrc.microsoft.com. The public release has been coordinated with the vendor. This vulnerability was named CVE-2019-1332. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. There are neither technical details nor an exploit publicly available. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 12/10/2019). The advisory points out:

A cross-site scripting (XSS) vulnerability exists when Microsoft SQL Server Reporting Services (SSRS) does not properly sanitize a specially-crafted web request to an affected SSRS server. An attacker who successfully exploited the vulnerability could run scripts in the context of the targeted user. The attacks could allow the attacker to read content that the attacker is not authorized to read, execute malicious code, and use the victim's identity to take actions on the site on behalf of the user, such as change permissions and delete content.

Applying a patch is able to eliminate this problem. A possible mitigation has been published immediately after the disclosure of the vulnerability.

Type

Vendor

Name

VulDB Meta Base Score: 4.3
VulDB Meta Temp Score: 4.1

VulDB Base Score: 4.3
VulDB Temp Score: 4.1
VulDB Vector: 🔒
VulDB Reliability: 🔍

VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Class: Cross site scripting (CWE-80)
Local: No
Remote: Yes

Availability: 🔒
Status: Not defined

Price Prediction: 🔍
Current Price Estimation: 🔒

Threat Intelligenceinfoedit

Threat: 🔍
Adversaries: 🔍
Geopolitics: 🔍
Economy: 🔍
Predictions: 🔍
Remediation: 🔍Recommended: Patch
Status: 🔍

Reaction Time: 🔒
0-Day Time: 🔒
Exposure Time: 🔒

12/10/2019 Advisory disclosed
12/10/2019 +0 days Countermeasure disclosed
12/10/2019 +0 days VulDB entry created
12/10/2019 +0 days VulDB last updateVendor: microsoft.com

Advisory: portal.msrc.microsoft.com
Status: Confirmed
Coordinated: 🔒

CVE: CVE-2019-1332 (🔒)

Created: 12/10/2019 10:10 PM
Complete: 🔍

Comments

Comments are closed.