CVE-2024-35266 – This is a cross-site scripting (XSS) vulnerabil... (How to Fix)

Q: What is the severity of CVE-2024-35266?

CVE-2024-35266 has a CVSS score of 7.6 (HIGH). This is a cross-site scripting (XSS) vulnerability in Azure DevOps Server that allows attackers to inject malicious scripts into web pages viewed by other users. It affects organizations using Azure DevOps Server on-premises, potentially compromising user sessions and data.

📋 TL;DR

This is a cross-site scripting (XSS) vulnerability in Azure DevOps Server that allows attackers to inject malicious scripts into web pages viewed by other users. It affects organizations using Azure DevOps Server on-premises, potentially compromising user sessions and data.

💻 Affected Systems

Products:

Azure DevOps Server

Versions: All versions before the security update

Operating Systems: Windows Server

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects on-premises Azure DevOps Server installations, not Azure DevOps Services (cloud).

📦 What is this software?

Azure Devops Server by Microsoft

View all CVEs affecting Azure Devops Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal authentication tokens, hijack user sessions, perform actions as authenticated users, and potentially access sensitive source code, build pipelines, and project data.

🟠

Likely Case

Attackers inject malicious scripts to steal session cookies or credentials, leading to unauthorized access to Azure DevOps projects and repositories.

🟢

If Mitigated

With proper input validation and output encoding, the risk is limited to isolated script execution without significant data compromise.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires user interaction (victim must visit malicious page) but exploitation is straightforward once initial access is gained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for specific version

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35266

Restart Required: Yes

Instructions:

1. Download the latest security update from Microsoft Update Catalog
2. Apply the update to all Azure DevOps Server instances
3. Restart the server as required
4. Verify the update was successful

🔧 Temporary Workarounds

Enable Content Security Policy

all

Implement CSP headers to restrict script execution from untrusted sources

Input Validation Enhancement

all

Add additional input validation for user-controllable data in Azure DevOps

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block XSS payloads
Restrict user permissions to minimize impact if exploitation occurs

🔍 How to Verify

Check if Vulnerable:

Check Azure DevOps Server version against patched versions in Microsoft advisory

Check Version:

Check Azure DevOps Server administration console or PowerShell: Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\DevDiv\AzureDevOps\Server' -Name Version

Verify Fix Applied:

Verify the installed version matches or exceeds the patched version from Microsoft

📡 Detection & Monitoring

Log Indicators:

Unusual script tags in request logs
Suspicious JavaScript payloads in URLs or form submissions

Network Indicators:

HTTP requests containing script injection patterns
Unexpected external script loads

SIEM Query:

source="azure_devops" AND (http_request CONTAINS "<script>" OR http_request CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2024-35266

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

CWE: CWE-79

Published: July 9, 2024

Last Updated: November 21, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35266 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35266 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35266, you might also want to check these: