First Security Vulnerability fix:
A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests. An attacker who successfully exploited this vulnerability could execute code in the context of the Report Server service account.
The security update addresses the vulnerability by modifying how the Microsoft SQL Server Reporting Services handles page requests.
Second Security Vulnerability fix:
A cross-site scripting (XSS) vulnerability exists when Microsoft SQL Server Reporting Services (SSRS) does not properly sanitize a specially-crafted web request to an affected SSRS server. An attacker who successfully exploited the vulnerability could run scripts in the context of the targeted user. The attacks could allow the attacker to read content that the attacker is not authorized to read, execute malicious code, and use the victimβs identity to take actions on the site on behalf of the user, such as change permissions and delete content.
The security update addresses the vulnerability by correcting SSRS URL sanitization.