Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Vulnerability protection

Visual Studio Team Foundation Server vulnerability could allow escalation of privilege


Report ID: MS201209001
Date Published: 12 September 2012

Criticality: Important
Compromise Type: privilege-escalation cross-site-scripting
Compromise From: remote


Affected Product/Component:

Microsoft Visual Studio Team Foundation Server 2010




Summary

A vulnerability in Visual Studio Team Foundation Server could allow an attacker to inject a script into the user's web browser, which could potentially lead to the attacker taking an action on behalf of the user.



Detailed Description

Microsoft has issued a security update for Visual Studio Team Foundation Server following a report on a reflected cross-site scripting vulnerability found in the software. The vulnerability was caused by improper validation of a request parameter on the Team Foundation Server site. An attacker could take advantage of the condition to inject a script into the user's Internet Explorer or any web browser, which might enable content spoofing, information disclosure, or taking action on behalf of the user. 

To patch the vulnerability, Microsoft has released a security update for the affected software. The update introduces a correction on the way that input parameters are validated. Users are recommended to install this latest update as a protection measure against potential exploit attempts.



CVE Reference

CVE-2012-1892



Solution

Install the latest security patch for applicable system, available for download from (https://technet.microsoft.com/en-us/security/bulletin/ms12-061)




Security Advisories

For a list of known vulnerabilities affecting F-Secure products and the released fixes, please refer to the Security Advisories page.