Power Bi Report Server
CVE-2021-41372
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Primary rating from Vendor (microsoft) · only source for this CVE.
CVSS VectorVendor: microsoft
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
A Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability exists when Power BI Report Server Template file (pbix) containing HTML files is uploaded to the server and HTML files are accessed directly by the victim. Combining these 2 vulnerabilities together, an attacker is able to upload malicious Power BI templates files to the server using the victim's session and run scripts in the security context of the user and perform privilege escalation in case the victim has admin privileges when the victim access one of the HTML files present in the malicious Power BI template uploaded. The security update addresses the vulnerability by helping to ensure that Power BI Report Server properly sanitize file uploads.
AnalysisAI
A Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability exists when Power BI Report Server Template file (pbix) containing HTML files is uploaded to the server and HTML files. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. A Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability exists when Power BI Report Server Template file (pbix) containing HTML files is uploaded to the server and HTML files are accessed directly by the victim. Combining these 2 vulnerabilities together, an attacker is able to upload malicious Power BI templates files to the server using the victim's session and run scripts in the security context of the user and perform privilege escalation in case the victim has admin privileges when the victim access one of the HTML files present in the malicious Power BI template uploaded. The security update addresses the vulnerability by helping to ensure that Power BI Report Server properly sanitize file uploads. Affected products include: Microsoft Power Bi Report Server.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
More in Power Bi Report Server
View allA cross-site scripting (XSS) vulnerability exists when Microsoft SQL Server Reporting Services (SSRS) does not properly
Cross-site scripting (CWE-79) in Microsoft Power BI Report Server lets an authenticated, low-privileged attacker inject
Power BI Report Server Spoofing Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitabl
Power BI Report Server Spoofing Vulnerability. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitabl
Improper input validation in Power BI allows an authorized attacker to execute code over a network. [CVSS 8.0 HIGH]
Microsoft Power BI Information Disclosure Vulnerability. Rated high severity (CVSS 7.7), this vulnerability is remotely
Power BI Remote Code Execution Vulnerability. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable
A spoofing vulnerability exists in Microsoft Power BI Report Server in the way it validates the content-type of uploaded
Power BI Report Server Spoofing Vulnerability. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploita
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today