The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Microsoft Visual Studio

computer vulnerability note CVE-2019-0727

Microsoft Visual Studio: privilege escalation via Standard Collector

Synthesis of the vulnerability

An attacker can bypass restrictions via Standard Collector of Microsoft Visual Studio, in order to escalate his privileges.
Impacted products: Visual Studio.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 15/05/2019.
Identifiers: CERTFR-2019-AVI-225, CVE-2019-0727, FG-VD-19-013, VIGILANCE-VUL-29299.

Description of the vulnerability

An attacker can bypass restrictions via Standard Collector of Microsoft Visual Studio, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 29203

Microsoft Visual Studio: memory corruption via __asm Generated Code

Synthesis of the vulnerability

An attacker can trigger a memory corruption via __asm Generated Code of Microsoft Visual Studio, in order to trigger a denial of service, and possibly to run code.
Impacted products: Visual Studio.
Severity: 2/4.
Consequences: user access/rights, denial of service on service, denial of service on client.
Provenance: document.
Creation date: 02/05/2019.
Identifiers: VIGILANCE-VUL-29203, ZDI-19-448.

Description of the vulnerability

An attacker can trigger a memory corruption via __asm Generated Code of Microsoft Visual Studio, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2018-8599

Microsoft Visual Studio: privilege escalation via Diagnostics Hub Standard Collector Service

Synthesis of the vulnerability

An attacker can bypass restrictions via Diagnostics Hub Standard Collector Service of Microsoft Visual Studio, in order to escalate his privileges.
Impacted products: Visual Studio, Windows 10, Windows 2016, Windows 2019.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 12/12/2018.
Identifiers: CERTFR-2018-AVI-598, CVE-2018-8599, VIGILANCE-VUL-28008.

Description of the vulnerability

An attacker can bypass restrictions via Diagnostics Hub Standard Collector Service of Microsoft Visual Studio, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2018-0952

Microsoft Visual Studio: privilege escalation

Synthesis of the vulnerability

An attacker can bypass restrictions of Microsoft Visual Studio, in order to escalate his privileges.
Impacted products: Visual Studio.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: document.
Creation date: 16/08/2018.
Identifiers: CERTFR-2018-AVI-399, CVE-2018-0952, VIGILANCE-VUL-26989.

Description of the vulnerability

An attacker can bypass restrictions of Microsoft Visual Studio, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2018-1037

Microsoft Visual Studio: information disclosure

Synthesis of the vulnerability

An attacker can bypass access restrictions to data of Microsoft Visual Studio, in order to obtain sensitive information.
Impacted products: Visual Studio.
Severity: 2/4.
Consequences: data reading.
Provenance: document.
Creation date: 11/04/2018.
Identifiers: CERTFR-2018-AVI-181, CVE-2018-1037, VIGILANCE-VUL-25833.

Description of the vulnerability

An attacker can bypass access restrictions to data of Microsoft Visual Studio, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin 23108

Microsoft: executing DLL code

Synthesis of the vulnerability

An attacker can create a malicious DLL, and then put it in the current directory of a Microsoft application, in order to execute code.
Impacted products: Office, Access, Office Communicator, Excel, OneNote, Outlook, PowerPoint, Project, Publisher, Visio, Word, SQL Server, Visual Studio.
Severity: 2/4.
Consequences: user access/rights.
Provenance: intranet server.
Creation date: 30/06/2017.
Identifiers: VIGILANCE-VUL-23108.

Description of the vulnerability

The Microsoft product uses external shared libraries (DLL).

However, if the working directory contains a malicious DLL, it is automatically loaded.

An attacker can therefore create a malicious DLL, and then put it in the current directory of a Microsoft application, in order to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 18913

Visual Studio: Cross Site Request Forgery via ASP.NET MVC5/6

Synthesis of the vulnerability

An attacker can trigger a Cross Site Request Forgery in ASP.NET MVC5/6 of Visual Studio, in order to force the victim to perform operations.
Impacted products: Visual Studio.
Severity: 2/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 10/02/2016.
Identifiers: 3137909, VIGILANCE-VUL-18913.

Description of the vulnerability

The Visual Studio product offers ASP.NET MVC5 and MVC6, used to create web services.

However, the origin of queries is not checked. They can for example originate from an image included in an HTML document.

An attacker can therefore trigger a Cross Site Request Forgery in ASP.NET MVC5/6 of Visual Studio, in order to force the victim to perform operations.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2014-3802

Microsoft DIA SDK: memory corruption via msdia.dll

Synthesis of the vulnerability

An attacker can invite the victim to open a malicious PDB file, to generate a memory corruption in msdia.dll of Microsoft DIA SDK, in order to trigger a denial of service, and possibly to execute code.
Impacted products: Visual Studio.
Severity: 2/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Creation date: 21/05/2014.
Identifiers: CVE-2014-3802, VIGILANCE-VUL-14778, ZDI-14-129.

Description of the vulnerability

The Microsoft DIA SDK product can be installed with Visual Studio.

The debugger uses a file in PDB format. However, a malformed PDB file corrupts the msdia.dll memory.

An attacker can therefore invite the victim to open a malicious PDB file, to generate a memory corruption in msdia.dll of Microsoft DIA SDK, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2013-5042

ASP.NET SignalR: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of ASP.NET SignalR, in order to execute JavaScript code in the context of the web site.
Impacted products: IIS, .NET Framework, Visual Studio.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 11/12/2013.
Identifiers: 2905244, BID-64093, CERTA-2013-AVI-669, CVE-2013-5042, MS13-103, VIGILANCE-VUL-13933.

Description of the vulnerability

The ASP.NET SignalR library is used to establish a communication between a web browser and a web server, using JavaScript.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of ASP.NET SignalR, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2013-3129

Windows, Office, .NET, Lync: code execution via TrueType

Synthesis of the vulnerability

An attacker can invite the victim to open a document containing a malicious font, generating an error in the Windows kernel, in order to execute code.
Impacted products: Lync, Office, Access, Excel, InfoPath, OneNote, Outlook, PowerPoint, Project, Publisher, Visio, Word, Visual Studio, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 7, Windows 8, Windows RT, Windows Vista, Windows XP.
Severity: 4/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: document.
Creation date: 09/07/2013.
Identifiers: 2848295, CERTA-2013-AVI-400, CVE-2013-3129, MS13-054, VIGILANCE-VUL-13082.

Description of the vulnerability

A document (Word or HTML for example) can be written with a TrueType font.

However, if the font is malformed, an error occurs in GDI+.

An attacker can therefore invite the victim to open a document containing a malicious font, generating an error in the Windows kernel, in order to execute privileged code. A malicious web page can also be used as an attack vector.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Microsoft Visual Studio: