Visual Studio Team Foundation Server vulnerability could allow escalation of privilege
Report ID: MS201209001
Date Published: 12 September 2012
Criticality: Important
Compromise Type: privilege-escalation cross-site-scripting
Compromise From: remote
Affected Product/Component:
Microsoft Visual Studio Team Foundation Server 2010
Summary
A vulnerability in Visual Studio Team Foundation Server could allow an attacker to inject a script into the user's web browser, which could potentially lead to the attacker taking an action on behalf of the user.
Detailed Description
Microsoft has issued a security update for Visual Studio Team Foundation Server following a report on a reflected cross-site scripting vulnerability found in the software. The vulnerability was caused by improper validation of a request parameter on the Team Foundation Server site. An attacker could take advantage of the condition to inject a script into the user's Internet Explorer or any web browser, which might enable content spoofing, information disclosure, or taking action on behalf of the user.
To patch the vulnerability, Microsoft has released a security update for the affected software. The update introduces a correction on the way that input parameters are validated. Users are recommended to install this latest update as a protection measure against potential exploit attempts.
CVE Reference
CVE-2012-1892
Solution
Install the latest security patch for applicable system, available for download from (https://technet.microsoft.com/en-us/security/bulletin/ms12-061)
F-Secure Health Check
F-Secure's free tool, the Health Check, detects if your system is missing the patch for the vulnerability covered in this report.
