Vulnerability of Visual Studio Team Foundation Server: Cross Site Scripting

Synthesis of the vulnerability

An attacker can generate a Cross Site Scripting in Visual Studio Team Foundation Server, in order to execute JavaScript code in the context of the web site.

Impacted products: Visual Studio.

Severity of this bulletin: 2/4.

Creation date: 11/09/2012.

Références of this threat: 2719584, BID-55409, CERTA-2012-AVI-494, CVE-2012-1892, MS12-061, VIGILANCE-VUL-11931.

Description of the vulnerability

The Visual Studio Team Foundation Server product offers tools to a developer community.

However, the web site of Team Foundation Server does not filter its parameters, before displaying them in generated HTML pages.

An attacker can therefore generate a Cross Site Scripting in Visual Studio Team Foundation Server, in order to execute JavaScript code in the context of the web site.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security note impacts software or systems such as Visual Studio.

Our Vigil@nce team determined that the severity of this threat announce is medium.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this computer weakness announce.

Solutions for this threat

Visual Studio Team Foundation Server: patch.
A patch is available:
Microsoft Visual Studio Team Foundation Server 2010 Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?familyid=721c4a38-b255-4792-83a5-7526a680a79a
The Microsoft announce indicates workarounds.
The article 2719584 indicates known problems:
http://support.microsoft.com/kb/2719584
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a networks vulnerabilities watch. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.