CVE-2021-41372 — Cross-site Scripting in Microsoft Power BI Report Server Version 1.11.8091.10468

CWE-79 — Cross-site Scripting CWE-352 — Cross-Site Request Forgery3 documents3 sources

Severity

9.6CRITICALNVD

CNA7.6

EPSS

0.2%

top 53.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Power BI Report Server Version 1.11.8091.10468 Microsoft Power BI Report Server Version 1.12.7977.29537 Microsoft Power BI Report Server

Timeline

PublishedNov 10

Description

A Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability exists when Power BI Report Server Template file (pbix) containing HTML files is uploaded to the server and HTML files are accessed directly by the victim. Combining these 2 vulnerabilities together, an attacker is able to upload malicious Power BI templates files to the server using the victim's session and run scripts in the security context of the user and perform privilege escalation in case the victim has admin…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 2.8 | Impact: 6.0

Affected Packages3 packages

▶CVEListV5microsoft/power_bi_report_server_version_1.11.8091.104681.0.0.0 — 15.0.1106.457

▶CVEListV5microsoft/power_bi_report_server_version_1.12.7977.295371.0.0.0 — 15.0.1107.165

▶NVDmicrosoft/power_bi_report_server15.0.1107.165

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

CVEList

Power BI Report Server Spoofing Vulnerability↗2021-11-10

▶

📋Vendor Advisories

Microsoft

Power BI Report Server Spoofing Vulnerability↗2021-11-09

▶