The team behind Azure DevOps Server has made a couple of security patches available, which are meant to mitigate some cross-site scripting and privilege elevation vulnerabilities.

Though Microsoft deems the exploitation for all three issues fixed in the DevOps Server 2019.1.1 Patch 1 and 2019.0.1 Patch 5 to be less likely, teams can reduce that risk by actually upgrading their systems.

The cross-site scripting issue dubbed CVE-2020-0700 allowed attackers to send a “specially crafted payload to the Team Foundation Server, which will get executed in the context of the user every time a user visits the compromised page”. 

This in turn facilitated cross-site scripting attacks, opening up the possibility of attackers executing malicious code, reading content without proper authorisation, and taking actions such as deleting content on behalf of other users. To prevent that from happening, the update makes sure inputs are now properly sanitised.


Source link