==================================================================== CERT-Renater Note d'Information No. 2012/VULN352 ____________________________________________________________________ DATE : 12/09/2012 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : Systems running Microsoft Visual Studio Team Foundation Server version 2010 SP 1. ====================================================================== KB2719584 http://technet.microsoft.com/en-us/security/bulletin/MS12-061 ______________________________________________________________________ Microsoft Security Bulletin MS12-061 - Important Vulnerability in Visual Studio Team Foundation Server Could Allow Elevation of Privilege (2719584) Published Date: September 11, 2012 | Updated Date: Unspecified Version: 1.0 General Information Executive Summary This security update resolves a privately reported vulnerability in Visual Studio Team Foundation Server. The vulnerability could allow elevation of privilege if a user clicks a specially crafted link in an email message or browses to a webpage that is used to exploit the vulnerability. In all cases, however, an attacker would have no way to force users to perform these actions. Instead, an attacker would have to convince users to visit a website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website. This security update is rated Important for all supported editions of Microsoft Visual Studio Team Foundation Server 2010. Known Issues. None Affected Software Microsoft Visual Studio Team Foundation Server 2010 Service Pack 1 Vulnerability Information XSS Vulnerability - CVE-2012-1892 A reflected XSS vulnerability exists in Visual Studio Team Foundation Server that could allow an attacker to inject a client-side script into the user's instance of Internet Explorer or any web browser using Team Foundation Server web access. The script could spoof content, disclose information, or take any action that the user could take on the site on behalf of the targeted user. ====================================================================== ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================