Microsoft Azure DevOps Server 2020.0.1 Cross Site Scripting

`SEC Consult Vulnerability Lab Security Advisory < 20210414-0 >  
=======================================================================  
title: Reflected cross-site scripting  
product: Microsoft Azure DevOps Server  
vulnerable version: 2020.0.1  
fixed version: 2020.0.1 Patch 2  
CVE number: CVE-2021-28459  
impact: medium  
homepage: https://azure.microsoft.com/en-us/services/devops/server/  
found: 2021-03-03  
by: M. Li (Office Munich)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult, an Atos company  
Europe | Asia | North America  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"What is Azure DevOps Server?  
Collaborative software development tools for the entire team  
  
Previously known as Team Foundation Server (TFS), Azure DevOps Server is a set  
of collaborative software development tools, hosted on-premises.  
Azure DevOps Server integrates with your existing IDE or editor, enabling   
your  
cross-functional team to work effectively on projects of all sizes."  
  
Source: https://azure.microsoft.com/en-us/services/devops/server/  
  
  
Business recommendation:  
------------------------  
SEC Consult recommends upgrading to the latest available version which patches  
the security issues.  
  
An in-depth security analysis performed by security professionals is advised,  
as the software may be affected from further security issues.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Reflected cross-site scripting  
The process template function with the collection settings allows uploading of  
a zip file, from which the name of the template is taken and returned to the  
browser. This variable is not sanitized, leading to a reflected cross-site  
scripting vulnerability.  
  
  
Proof of concept:  
-----------------  
1) Reflected cross-site scripting  
An authenticated user with privileges to upload project files can access the  
Collection Settings of one project. Under the Process function, it is possible  
to upload a process template in form of a zip file, which can be obtained   
by  
downloading an existing template. According to the template structure, the  
ProcessTemplate.xml file should contain a name, in which the XSS payload is  
injected as below:  
  
```  
<ProcessTemplate>  
<metadata>  
<name>XSS here: <img src=x onerror=alert(document.URL)></name>  
<description>This template is flexible and will work great</description>  
<version type="aa12a345-00a0-1f11-ba00-b12345b12345" major="1" minor="0" />  
<plugins>  
```  
  
Soon after the upload, a message is returned to the user, stating the process  
template has been renamed to the malicious one with the XSS payload. At this  
point, the injected JavaScript will get executed, showing a pop-up window   
with  
the URL in this case.  
  
In reality, an attacker might send a malicious zip file to administrators   
and  
trick them into uploading it, thus achieving to compromise their account.  
  
  
Vulnerable / tested versions:  
-----------------------------  
The following version has been tested, which was the most recent one at the  
time of the test:  
- 2020.0.1  
  
  
Vendor contact timeline:  
------------------------  
2021-03-08: Contacting vendor through MSRC portal, case number 64141 is auto-assigned.  
2021-03-09: Vendor informed that the investigation be started.  
2021-04-01: Vendor informed that a fix has been completed and will be released as part  
of April Patch Tuesday. CVE-2021-28459 has been assigned to the issue.  
2021-04-13: Vendor released the patch.  
2021-04-14: Public release of the security advisory.  
  
  
Solution:  
---------  
The patch is available at:  
https://docs.microsoft.com/en-us/azure/devops/server/release-notes/azuredevops2020?view=azure-devops&branch=releasenotes%2Fmarchpatch#azure-devops-server-202001-patch-2-release-date-march-9-202  
  
  
Workaround:  
-----------  
None  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
  
SEC Consult, an Atos company  
Europe | Asia | North America  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos ​company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF M. Li / @2021  
  
`