Cross-Site Scripting Vulnerability in Microsoft SQL Server Reporting Services
CVE-2019-1332

6.1MEDIUM

Key Information:

Vendor: Microsoft
Status: Sql Server 2017 Reporting Services; Power Bi Report Server; Sql Server 2019 Reporting Services
Vendor: CVE Published:; 10 December 2019

Badges

👾 Exploit Exists🟡 Public PoC

Summary

This vulnerability allows an attacker to execute arbitrary scripts in the context of a user's session on Microsoft SQL Server Reporting Services (SSRS). It arises from improper sanitization of specially-crafted web requests directed toward the SSRS server. If exploited, this could lead to unauthorized actions and information exposure, posing significant risks to the data integrity and privacy of reported information.

Affected Version(s)

Power BI Report Server = unspecified

SQL Server 2017 Reporting Services = unspecified

SQL Server 2019 Reporting Services = unspecified

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2019-1332
Created by mbadanoiu

References

https://portal.msrc.microsoft.com/en-US/security-guidance...

x_refsource_MISC

https://github.com/DrunkenShells/Disclosures/tree/master/...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

🟡
Public PoC available
Feb 5, 2024
👾
Exploit known to exist
Feb 5, 2024
Vulnerability published
Dec 10, 2019
Vulnerability Reserved
Nov 26, 2018