cnvd - cnvd-2020-19008

cnvd-2020-19008

Vulnerability from cnvd

Title

Microsoft Azure DevOps Server跨站脚本漏洞（CNVD-2020-19008）

Description

Microsoft Azure DevOps Server是美国微软（Microsoft）公司的一套软件开发协作工具。该产品包括共享代码、工作跟踪和软件发布等功能。 Azure DevOps Server中存在跨站脚本漏洞，该漏洞源于程序未能正确清理用户提供的输入，攻击者可通过发送特殊的payload利用该漏洞在当前用户的安全上下文中执行脚本。

Severity

中

Patch Name

Microsoft Azure DevOps Server跨站脚本漏洞（CNVD-2020-19008）的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://portal.msrc.microsoft.com/zh-CN/security-guidance/advisory/CVE-2020-0700

Reference

https://portal.msrc.microsoft.com/zh-CN/security-guidance/advisory/CVE-2020-0700

Impacted products

Name
['Microsoft Team Foundation Server 2017 Update 3.1', 'Microsoft Team Foundation Server 2018 Update 3.2', 'Microsoft Team Foundation Server 2018 Update 1.2', 'Microsoft Azure DevOps Server 2019.0.1', 'Microsoft Azure DevOps Server 2019 Update 1', 'Microsoft Azure DevOps Server 2019 Update 1.1']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-0700"
    }
  },
  "description": "Microsoft Azure DevOps Server\u662f\u7f8e\u56fd\u5fae\u8f6f\uff08Microsoft\uff09\u516c\u53f8\u7684\u4e00\u5957\u8f6f\u4ef6\u5f00\u53d1\u534f\u4f5c\u5de5\u5177\u3002\u8be5\u4ea7\u54c1\u5305\u62ec\u5171\u4eab\u4ee3\u7801\u3001\u5de5\u4f5c\u8ddf\u8e2a\u548c\u8f6f\u4ef6\u53d1\u5e03\u7b49\u529f\u80fd\u3002\n\nAzure DevOps Server\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u6b63\u786e\u6e05\u7406\u7528\u6237\u63d0\u4f9b\u7684\u8f93\u5165\uff0c\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u53d1\u9001\u7279\u6b8a\u7684payload\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u5f53\u524d\u7528\u6237\u7684\u5b89\u5168\u4e0a\u4e0b\u6587\u4e2d\u6267\u884c\u811a\u672c\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://portal.msrc.microsoft.com/zh-CN/security-guidance/advisory/CVE-2020-0700",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-19008",
  "openTime": "2020-03-24",
  "patchDescription": "Microsoft Azure DevOps Server\u662f\u7f8e\u56fd\u5fae\u8f6f\uff08Microsoft\uff09\u516c\u53f8\u7684\u4e00\u5957\u8f6f\u4ef6\u5f00\u53d1\u534f\u4f5c\u5de5\u5177\u3002\u8be5\u4ea7\u54c1\u5305\u62ec\u5171\u4eab\u4ee3\u7801\u3001\u5de5\u4f5c\u8ddf\u8e2a\u548c\u8f6f\u4ef6\u53d1\u5e03\u7b49\u529f\u80fd\u3002\r\n\r\nAzure DevOps Server\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u6b63\u786e\u6e05\u7406\u7528\u6237\u63d0\u4f9b\u7684\u8f93\u5165\uff0c\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u53d1\u9001\u7279\u6b8a\u7684payload\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u5f53\u524d\u7528\u6237\u7684\u5b89\u5168\u4e0a\u4e0b\u6587\u4e2d\u6267\u884c\u811a\u672c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Microsoft Azure DevOps Server\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2020-19008\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Microsoft Team Foundation Server 2017 Update 3.1",
      "Microsoft Team Foundation Server 2018 Update 3.2",
      "Microsoft Team Foundation Server 2018 Update 1.2",
      "Microsoft Azure DevOps Server 2019.0.1",
      "Microsoft Azure DevOps Server 2019 Update 1",
      "Microsoft Azure DevOps Server 2019 Update 1.1"
    ]
  },
  "referenceLink": "https://portal.msrc.microsoft.com/zh-CN/security-guidance/advisory/CVE-2020-0700",
  "serverity": "\u4e2d",
  "submitTime": "2020-03-11",
  "title": "Microsoft Azure DevOps Server\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2020-19008\uff09"
}

CVE-2020-0700 (GCVE-0-2020-0700)

Vulnerability from cvelistv5

Published

2020-03-12 15:48

Modified

2024-08-04 06:11

Severity ?

CWE

Spoofing

Summary

A Cross-site Scripting (XSS) vulnerability exists when Azure DevOps Server does not properly sanitize user provided input, aka 'Azure DevOps Server Cross-site Scripting Vulnerability'.

References

URL

Tags

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0700

x_refsource_MISC

Impacted products

Vendor

Product

Version

Microsoft

Azure DevOps Server

Version: 2019.0.1

Microsoft	Team Foundation Server 2018	Version: Update 3.2 Version: Update 1.2
Microsoft	Team Foundation Server	Version: 2017 Update 3.1
Microsoft	Azure DevOps Server 2019	Version: Update 1
Microsoft	Azure DevOps Server 2019 Update 1.1	Version: unspecified

Show details on NVD website