Reflected cross-site scripting in Microsoft Azure DevOps Server

Title

Reflected cross-site scripting

Product

Microsoft Azure DevOps Server

Vulnerable Version

2020.0.1

Fixed Version

2020.0.1 Patch 2

CVE Number

CVE-2021-28459

Impact

medium

Found

03.03.2021

By

M. Li (Office Munich) | SEC Consult Vulnerability Lab

Microsoft Azure DevOps Server is vulnerable to a reflected XSS issue, which can be exploited by uploading a file with specially crafted payloads.

Vendor description

"What is Azure DevOps Server? Collaborative software development tools for the entire team Previously known as Team Foundation Server (TFS), Azure DevOps Server is a set of collaborative software development tools, hosted on-premises. Azure DevOps Server integrates with your existing IDE or editor, enabling your cross-functional team to work effectively on projects of all sizes"

Source: https://azure.microsoft.com/en-us/services/devops/server/

Business recommendation

SEC Consult recommends upgrading to the latest available version which patches the security issues. An in-depth security analysis performed by security professionals is advised, as the software may be affected from further security issues.

Vulnerability overview/description

1) Reflected cross-site scripting (CVE-2021-28459)

The process template function with the collection settings allows uploading of a zip file, from which the name of the template is taken and returned to the browser. This variable is not sanitized, leading to a reflected cross-site scripting vulnerability.

Proof of concept

1) Reflected cross-site scripting (CVE-2021-28459)

An authenticated user with privileges to upload project files can access the Collection Settings of one project. Under the Process function, it is possible to upload a process template in form of a zip file, which can be obtained by downloading an existing template. According to the template structure, the ProcessTemplate.xml file should contain a name, in which the XSS payload is injected as below:

<ProcessTemplate>
  <metadata>
    <name>XSS here: &lt;img src=x onerror=alert(document.URL)&gt;</name>
    <description>This template is flexible and will work great</description>
    <version type="aa12a345-00a0-1f11-ba00-b12345b12345" major="1" minor="0" />
    <plugins>

Soon after the upload, a message is returned to the user, stating the process template has been renamed to the malicious one with the XSS payload. At this point, the injected JavaScript will get executed, showing a pop-up window with the URL in this case.

In reality, an attacker might send a malicious zip file to administrators and trick them into uploading it, thus achieving to compromise their account.

Vulnerable/Tested versions

The following version has been tested, which was the most recent one at the time of the test:

  • 2020.0.1

Vendor contact timeline

2021-03-08 Contacting vendor through MSRC portal, case number 64141 is auto-assigned.
2021-03-09 Vendor informed that the investigation be started.
2021-04-01 Vendor informed that a fix has been completed and will be released as part of April Patch Tuesday. CVE-2021-28459 has been assigned to the issue.
2021-04-13 Vendor released the patch.
2021-04-14 Public release of the security advisory.