Abstract Advisory Information
Unrestricted file upload vulnerability in the comment section of Microsoft Power BI Report Server allows remote authenticated users to upload arbitrary files and to control the Content-Type value the server will use when a user is accessing the given file. For example, this could allow an attacker to upload HTML files containing a malicious JavaScript payload, which can then be accessed and executed by other users browser.
Authors: Samy Baiwir
Version affected
Name: Microsoft Power BI Report Server
Versions: 15.0.1102.299
Common Vulnerability Scoring System
4.3
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Patches
Version 1.5.7074.36177 (Build 15.0.1102.371)
References
https://docs.microsoft.com/en-us/power-bi/report-server/changelog
Vulnerability Disclosure Timeline
- 10/05/2019: vulnerability discovered on version 15.0.1102.235
- 21/05/2019: vulnerability validated on last available version (15.0.1102.299)
- 23/05/2019: First contact with Vendor
- 29/05/2019: Vendor acknowledges and validate the vulnerability
- 31/05/2019: Bug bounty submitted on msrc.microsoft.com
- 10/07/2019: Fix released 1.5.7074.36177 (Build 15.0.1102.371)
- 11/07/2019: Vendor confirm that no CVE-ID will be assign
- 12/08/2019: Patch does not work, vendor re-contacted
- 27/08/2019: Vendor acknowledges and validate the vulnerability
- 05/09/2019: Vendor ask us to not publish the vulnerability
- 19/09/2019: Vendor ask us to not publish the vulnerability
- 17/10/2019: Vendor confirm a new fix is available 1.6.7236.4246 (Build 15.0.1102.646)
- 09/12/2019: Public disclosure