Login Sign Up

CVE-2021-41372

7.6 HIGH
Cross-Site Scripting CSRF

📋 TL;DR

This vulnerability allows attackers to upload malicious Power BI template files containing HTML with scripts. When victims access these HTML files, the scripts execute in their security context, potentially leading to privilege escalation if the victim has admin rights. It affects Power BI Report Server users who upload template files.

💻 Affected Systems

Products:
  • Microsoft Power BI Report Server
Versions: All versions prior to the security update
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability requires file upload functionality and victim access to uploaded HTML files.

📦 What is this software?

Power Bi Report Server by Microsoft

View all CVEs affecting Power Bi Report Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains administrative control over the Power BI Report Server by exploiting an admin user's session, leading to full system compromise and data exfiltration.

🟠

Likely Case

Attackers steal session cookies or perform actions on behalf of authenticated users, potentially accessing sensitive reports or modifying data.

🟢

If Mitigated

With proper input sanitization and CSRF protections, the attack fails to execute malicious scripts or upload unauthorized files.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires combining XSS and CSRF, and victim interaction with malicious files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply the security update from Microsoft's October 2021 Patch Tuesday

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41372

Restart Required: Yes

Instructions:

1. Download the security update from Microsoft Update Catalog. 2. Install the update on the Power BI Report Server. 3. Restart the server as required.

🔧 Temporary Workarounds

Restrict File Uploads

windows

Limit file uploads to trusted users and monitor for suspicious .pbix files.

Implement CSRF Tokens

all

Add CSRF protection to file upload endpoints to prevent unauthorized uploads.

🧯 If You Can't Patch

  • Disable file upload functionality for untrusted users.
  • Implement web application firewall (WAF) rules to block malicious HTML content in uploads.

🔍 How to Verify

Check if Vulnerable:

Check Power BI Report Server version; if prior to October 2021 security update, it is vulnerable.

Check Version:

Check server version via Power BI Report Server configuration manager or PowerShell: Get-PowerBIReportServerVersion

Verify Fix Applied:

Verify the server version matches or exceeds the patched version and test file upload sanitization.

📡 Detection & Monitoring

Log Indicators:

  • Unusual .pbix file uploads from unexpected IPs
  • Access logs showing direct HTML file accesses from uploaded templates

Network Indicators:

  • HTTP requests uploading .pbix files with embedded HTML scripts
  • Outbound connections triggered by accessed HTML files

SIEM Query:

source="PowerBI_Logs" AND (file_upload="*.pbix" OR url="*.html") AND user_agent="suspicious"

📊 Metadata

CVE ID: CVE-2021-41372
CVSS v3 Score: 7.6 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
CWE: CWE-79
Published: November 10, 2021
Last Updated: February 24, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41372, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)