KLA11433
Multiple vulnerabilities in Microsoft Developer Tools

Updated: 07/22/2020
Microsoft official advisories
Microsoft Security Update Guide
Detect date
?
03/12/2019
Severity
?
High
Description

Multiple vulnerabilities were found in Microsoft Developer Tools. Malicious users can exploit these vulnerabilities to spoof user interface, execute arbitrary code.

Below is a complete list of vulnerabilities:

  1. A tampering vulnerability in NuGet Package Manager can be exploited remotely to spoof user interface.
  2. A remote code execution vulnerability in Visual Studio can be exploited remotely to execute arbitrary code.
  3. A cross-site-scripting (XSS) vulnerability Team Foundation Server can be exploited remotely via specially crafted payload to spoof user interface.
Affected products

Nuget 4.8.2
Nuget 4.4.2
Nuget 4.7.2
Mono Framework Version 5.18.0.223
.NET Core SDK 2.1.500
Nuget 4.3.1
Nuget 4.9.4
.NET Core SDK 1.1
Mono Framework Version 5.20.0
Nuget 4.6.3
Nuget 4.5.2
Visual Studio 2017 for Mac
.NET Core SDK 2.2.100
Team Foundation Server 2018 Update 3.2
Microsoft Visual Studio 2017 version 15.9 (includes 15.1 - 15.8)
Team Foundation Server 2018 Update 1.2
Team Foundation Server 2017 Update 3.1

Solution

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Original advisories

CVE-2019-0757
CVE-2019-0809
CVE-2019-0777

Impacts
?
ACE 
[?]

SUI 
[?]
Related products
Microsoft Visual Studio
Team Foundation Server
CVE-IDS
?
CVE-2019-08096.8High
CVE-2019-07773.5Warning
CVE-2019-07574.0Warning
Find out the statistics of the vulnerabilities spreading in your region