Visual Studio Team Foundation Server vulnerability could allow escalation of privilege
Report ID: MS201209001
Date Published: 12 September 2012
Compromise Type: privilege-escalation cross-site-scripting
Compromise From: remote
Microsoft Visual Studio Team Foundation Server 2010
A vulnerability in Visual Studio Team Foundation Server could allow an attacker to inject a script into the user's web browser, which could potentially lead to the attacker taking an action on behalf of the user.
Microsoft has issued a security update for Visual Studio Team Foundation Server following a report on a reflected cross-site scripting vulnerability found in the software. The vulnerability was caused by improper validation of a request parameter on the Team Foundation Server site. An attacker could take advantage of the condition to inject a script into the user's Internet Explorer or any web browser, which might enable content spoofing, information disclosure, or taking action on behalf of the user.
To patch the vulnerability, Microsoft has released a security update for the affected software. The update introduces a correction on the way that input parameters are validated. Users are recommended to install this latest update as a protection measure against potential exploit attempts.
Install the latest security patch for applicable system, available for download from (https://technet.microsoft.com/en-us/security/bulletin/ms12-061)
F-Secure Health Check
F-Secure's free tool, the Health Check, detects if your system is missing the patch for the vulnerability covered in this report.