CVE-2019-0996

CWE-352 — Cross-Site Request Forgery (CSRF)5 documents5 sources

Severity

6.5MEDIUM

EPSS

8.1%

top 7.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Azure Devops Server 2019 Microsoft Azure Devops Server

Timeline

PublishedJun 12

Latest updateJun 25

Description

A spoofing vulnerability exists in Azure DevOps Server when it improperly handles requests to authorize applications, resulting in a cross-site request forgery. An attacker who successfully exploited this vulnerability could bypass OAuth protections and register an application on behalf of the targeted user. To exploit this vulnerability, an attacker would need to create a page specifically designed to cause a cross-site request. The attacker would then need to convince a targeted user to click …

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5microsoft/azure_devops_server_2019< publication

▶NVDmicrosoft/azure_devops_server2019

Patches

Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

OSV

libheif vulnerabilities↗2024-06-25

▶

GHSA

GHSA-rm8m-fp2p-77cc: A spoofing vulnerability exists in Azure DevOps Server when it improperly handles requests to authorize applications, resulting in a cross-site reques↗2022-05-24

▶

CVEList

Azure DevOps Server Spoofing Vulnerability↗2019-06-12

▶

📋Vendor Advisories

Microsoft

Azure DevOps Server Spoofing Vulnerability↗2019-06-11

▶