Search criteria
16 vulnerabilities found for power_bi_report_server by microsoft
CVE-2024-43612 (GCVE-0-2024-43612)
Vulnerability from nvd – Published: 2024-10-08 17:35 – Updated: 2025-07-08 15:38
VLAI?
Title
Power BI Report Server Spoofing Vulnerability
Summary
Power BI Report Server Spoofing Vulnerability
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Microsoft | Power BI Report Server - May 2024 |
Affected:
15.0.0 , < 15.0.1116.121
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43612",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T18:38:49.066503Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T18:39:14.098Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Power BI Report Server - May 2024",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "15.0.1116.121",
"status": "affected",
"version": "15.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:power_bi_report_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "15.0.1116.121",
"versionStartIncluding": "15.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2024-10-08T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Power BI Report Server Spoofing Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T15:38:46.565Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Power BI Report Server Spoofing Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43612"
}
],
"title": "Power BI Report Server Spoofing Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2024-43612",
"datePublished": "2024-10-08T17:35:35.849Z",
"dateReserved": "2024-08-14T01:08:33.552Z",
"dateUpdated": "2025-07-08T15:38:46.565Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43481 (GCVE-0-2024-43481)
Vulnerability from nvd – Published: 2024-10-08 17:35 – Updated: 2025-07-08 15:38
VLAI?
Title
Power BI Report Server Spoofing Vulnerability
Summary
Power BI Report Server Spoofing Vulnerability
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Microsoft | Power BI Report Server - May 2024 |
Affected:
15.0.0 , < 15.0.1116.121
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43481",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T18:56:01.277042Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T18:56:12.383Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Power BI Report Server - May 2024",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "15.0.1116.121",
"status": "affected",
"version": "15.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:power_bi_report_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "15.0.1116.121",
"versionStartIncluding": "15.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2024-10-08T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Power BI Report Server Spoofing Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T15:38:24.830Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Power BI Report Server Spoofing Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43481"
}
],
"title": "Power BI Report Server Spoofing Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2024-43481",
"datePublished": "2024-10-08T17:35:16.076Z",
"dateReserved": "2024-08-14T01:08:33.518Z",
"dateUpdated": "2025-07-08T15:38:24.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-21806 (GCVE-0-2023-21806)
Vulnerability from nvd – Published: 2023-02-14 19:32 – Updated: 2025-01-01 00:40
VLAI?
Title
Power BI Report Server Spoofing Vulnerability
Summary
Power BI Report Server Spoofing Vulnerability
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Microsoft | Power BI Report Server - January 2023 |
Affected:
15.0.0 , < 15.0.1111.115
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-21806",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-29T15:44:24.016968Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:19:41.434Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T09:51:51.043Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Power BI Report Server Spoofing Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21806"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Power BI Report Server - January 2023",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "15.0.1111.115",
"status": "affected",
"version": "15.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:power_bi_report_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "15.0.1111.115",
"versionStartIncluding": "15.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2023-02-14T08:00:00+00:00",
"descriptions": [
{
"lang": "en-US",
"value": "Power BI Report Server Spoofing Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-01T00:40:44.142Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Power BI Report Server Spoofing Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21806"
}
],
"title": "Power BI Report Server Spoofing Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2023-21806",
"datePublished": "2023-02-14T19:32:40.364Z",
"dateReserved": "2022-12-16T22:13:41.241Z",
"dateUpdated": "2025-01-01T00:40:44.142Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41372 (GCVE-0-2021-41372)
Vulnerability from nvd – Published: 2021-11-10 00:46 – Updated: 2024-08-04 03:08
VLAI?
Title
Power BI Report Server Spoofing Vulnerability
Summary
A Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability exists when Power BI Report Server Template file (pbix) containing HTML files is uploaded to the server and HTML files are accessed directly by the victim.
Combining these 2 vulnerabilities together, an attacker is able to upload malicious Power BI templates files to the server using the victim's session and run scripts in the security context of the user and perform privilege escalation in case the victim has admin privileges when the victim access one of the HTML files present in the malicious Power BI template uploaded.
The security update addresses the vulnerability by helping to ensure that Power BI Report Server properly sanitize file uploads.
Severity ?
CWE
- Spoofing
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Microsoft | Power BI Report Server version 1.11.8091.10468 |
Affected:
1.0.0.0 , < 15.0.1106.457
(custom)
cpe:2.3:a:microsoft:power_bi_report_server:*:*:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:08:32.244Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41372"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:microsoft:power_bi_report_server:*:*:*:*:*:*:*:*"
],
"platforms": [
"Unknown"
],
"product": "Power BI Report Server version 1.11.8091.10468",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "15.0.1106.457",
"status": "affected",
"version": "1.0.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:power_bi_report_server:*:*:*:*:*:*:*:*"
],
"platforms": [
"Unknown"
],
"product": "Power BI Report Server version 1.12.7977.29537",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "15.0.1107.165",
"status": "affected",
"version": "1.0.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-11-09T08:00:00+00:00",
"descriptions": [
{
"lang": "en-US",
"value": "A Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability exists when Power BI Report Server Template file (pbix) containing HTML files is uploaded to the server and HTML files are accessed directly by the victim.\nCombining these 2 vulnerabilities together, an attacker is able to upload malicious Power BI templates files to the server using the victim\u0027s session and run scripts in the security context of the user and perform privilege escalation in case the victim has admin privileges when the victim access one of the HTML files present in the malicious Power BI template uploaded.\nThe security update addresses the vulnerability by helping to ensure that Power BI Report Server properly sanitize file uploads.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N/E:P/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Spoofing",
"lang": "en-US",
"type": "Impact"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-29T14:47:37.204Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41372"
}
],
"title": "Power BI Report Server Spoofing Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2021-41372",
"datePublished": "2021-11-10T00:46:45",
"dateReserved": "2021-09-17T00:00:00",
"dateUpdated": "2024-08-04T03:08:32.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31984 (GCVE-0-2021-31984)
Vulnerability from nvd – Published: 2021-07-14 17:53 – Updated: 2024-08-03 23:10
VLAI?
Title
Power BI Remote Code Execution Vulnerability
Summary
Power BI Remote Code Execution Vulnerability
Severity ?
CWE
- Remote Code Execution
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Microsoft | Power BI Desktop |
Affected:
2.0.0.0 , < > 2.94.781.0
(custom)
cpe:2.3:a:microsoft:power_bi_report_server:-:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:10:31.404Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31984"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:microsoft:power_bi_report_server:-:*:*:*:*:*:*:*"
],
"platforms": [
"Unknown"
],
"product": "Power BI Desktop",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "\u003e 2.94.781.0",
"status": "affected",
"version": "2.0.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-07-13T07:00:00+00:00",
"descriptions": [
{
"lang": "en-US",
"value": "Power BI Remote Code Execution Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en-US",
"type": "Impact"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-28T22:36:21.220Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31984"
}
],
"title": "Power BI Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2021-31984",
"datePublished": "2021-07-14T17:53:17",
"dateReserved": "2021-04-30T00:00:00",
"dateUpdated": "2024-08-03T23:10:31.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-26859 (GCVE-0-2021-26859)
Vulnerability from nvd – Published: 2021-03-11 15:35 – Updated: 2024-08-03 20:33
VLAI?
Title
Microsoft Power BI Information Disclosure Vulnerability
Summary
Microsoft Power BI Information Disclosure Vulnerability
Severity ?
CWE
- Information Disclosure
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Microsoft | Power BI Report Server version 15.0.1103.234 |
Affected:
15.0.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:power_bi_report_server:15.0.1103.234:*:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:33:41.132Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26859"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:microsoft:power_bi_report_server:15.0.1103.234:*:*:*:*:*:*:*"
],
"platforms": [
"Unknown"
],
"product": "Power BI Report Server version 15.0.1103.234",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "15.0.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:power_bi_report_server:15.0.1104.300:*:*:*:*:*:*:*"
],
"platforms": [
"Unknown"
],
"product": "Power BI Report Server version 15.0.1104.300",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "15.0.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-03-09T08:00:00+00:00",
"descriptions": [
{
"lang": "en-US",
"value": "Microsoft Power BI Information Disclosure Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en-US",
"type": "Impact"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-29T20:08:58.257Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26859"
}
],
"title": "Microsoft Power BI Information Disclosure Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2021-26859",
"datePublished": "2021-03-11T15:35:31",
"dateReserved": "2021-02-08T00:00:00",
"dateUpdated": "2024-08-03T20:33:41.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-1173 (GCVE-0-2020-1173)
Vulnerability from nvd – Published: 2020-05-21 22:53 – Updated: 2024-08-04 06:25
VLAI?
Summary
A spoofing vulnerability exists in Microsoft Power BI Report Server in the way it validates the content-type of uploaded attachments, aka 'Microsoft Power BI Report Server Spoofing Vulnerability'.
Severity ?
No CVSS data available.
CWE
- Spoofing
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Microsoft | Power BI Report Server |
Affected:
unspecified
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T06:25:01.307Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1173"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Power BI Report Server",
"vendor": "Microsoft",
"versions": [
{
"status": "affected",
"version": "unspecified"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A spoofing vulnerability exists in Microsoft Power BI Report Server in the way it validates the content-type of uploaded attachments, aka \u0027Microsoft Power BI Report Server Spoofing Vulnerability\u0027."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Spoofing",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-21T22:53:30",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1173"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@microsoft.com",
"ID": "CVE-2020-1173",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Power BI Report Server",
"version": {
"version_data": [
{
"version_value": ""
}
]
}
}
]
},
"vendor_name": "Microsoft"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A spoofing vulnerability exists in Microsoft Power BI Report Server in the way it validates the content-type of uploaded attachments, aka \u0027Microsoft Power BI Report Server Spoofing Vulnerability\u0027."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Spoofing"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1173",
"refsource": "MISC",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1173"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2020-1173",
"datePublished": "2020-05-21T22:53:30",
"dateReserved": "2019-11-04T00:00:00",
"dateUpdated": "2024-08-04T06:25:01.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-1332 (GCVE-0-2019-1332)
Vulnerability from nvd – Published: 2019-12-10 21:40 – Updated: 2024-08-04 18:13
VLAI?
Summary
A cross-site scripting (XSS) vulnerability exists when Microsoft SQL Server Reporting Services (SSRS) does not properly sanitize a specially-crafted web request to an affected SSRS server, aka 'Microsoft SQL Server Reporting Services XSS Vulnerability'.
Severity ?
No CVSS data available.
CWE
- Spoofing
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft | SQL Server 2017 Reporting Services |
Affected:
unspecified
|
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T18:13:30.447Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1332"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-1332-Cross-Site%20Scripting-Microsoft%20SQL%20Server%20Reporting%20Services"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SQL Server 2017 Reporting Services",
"vendor": "Microsoft",
"versions": [
{
"status": "affected",
"version": "unspecified"
}
]
},
{
"product": "Power BI Report Server",
"vendor": "Microsoft",
"versions": [
{
"status": "affected",
"version": "unspecified"
}
]
},
{
"product": "SQL Server 2019 Reporting Services",
"vendor": "Microsoft",
"versions": [
{
"status": "affected",
"version": "unspecified"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A cross-site scripting (XSS) vulnerability exists when Microsoft SQL Server Reporting Services (SSRS) does not properly sanitize a specially-crafted web request to an affected SSRS server, aka \u0027Microsoft SQL Server Reporting Services XSS Vulnerability\u0027."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Spoofing",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-15T16:41:46",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1332"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-1332-Cross-Site%20Scripting-Microsoft%20SQL%20Server%20Reporting%20Services"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@microsoft.com",
"ID": "CVE-2019-1332",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SQL Server 2017 Reporting Services",
"version": {
"version_data": [
{
"version_value": ""
}
]
}
},
{
"product_name": "Power BI Report Server",
"version": {
"version_data": [
{
"version_value": ""
}
]
}
},
{
"product_name": "SQL Server 2019 Reporting Services",
"version": {
"version_data": [
{
"version_value": ""
}
]
}
}
]
},
"vendor_name": "Microsoft"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A cross-site scripting (XSS) vulnerability exists when Microsoft SQL Server Reporting Services (SSRS) does not properly sanitize a specially-crafted web request to an affected SSRS server, aka \u0027Microsoft SQL Server Reporting Services XSS Vulnerability\u0027."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Spoofing"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1332",
"refsource": "MISC",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1332"
},
{
"name": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-1332-Cross-Site%20Scripting-Microsoft%20SQL%20Server%20Reporting%20Services",
"refsource": "MISC",
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-1332-Cross-Site%20Scripting-Microsoft%20SQL%20Server%20Reporting%20Services"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2019-1332",
"datePublished": "2019-12-10T21:40:56",
"dateReserved": "2018-11-26T00:00:00",
"dateUpdated": "2024-08-04T18:13:30.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43612 (GCVE-0-2024-43612)
Vulnerability from cvelistv5 – Published: 2024-10-08 17:35 – Updated: 2025-07-08 15:38
VLAI?
Title
Power BI Report Server Spoofing Vulnerability
Summary
Power BI Report Server Spoofing Vulnerability
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Microsoft | Power BI Report Server - May 2024 |
Affected:
15.0.0 , < 15.0.1116.121
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43612",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T18:38:49.066503Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T18:39:14.098Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Power BI Report Server - May 2024",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "15.0.1116.121",
"status": "affected",
"version": "15.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:power_bi_report_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "15.0.1116.121",
"versionStartIncluding": "15.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2024-10-08T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Power BI Report Server Spoofing Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T15:38:46.565Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Power BI Report Server Spoofing Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43612"
}
],
"title": "Power BI Report Server Spoofing Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2024-43612",
"datePublished": "2024-10-08T17:35:35.849Z",
"dateReserved": "2024-08-14T01:08:33.552Z",
"dateUpdated": "2025-07-08T15:38:46.565Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43481 (GCVE-0-2024-43481)
Vulnerability from cvelistv5 – Published: 2024-10-08 17:35 – Updated: 2025-07-08 15:38
VLAI?
Title
Power BI Report Server Spoofing Vulnerability
Summary
Power BI Report Server Spoofing Vulnerability
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Microsoft | Power BI Report Server - May 2024 |
Affected:
15.0.0 , < 15.0.1116.121
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43481",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T18:56:01.277042Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T18:56:12.383Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Power BI Report Server - May 2024",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "15.0.1116.121",
"status": "affected",
"version": "15.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:power_bi_report_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "15.0.1116.121",
"versionStartIncluding": "15.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2024-10-08T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Power BI Report Server Spoofing Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T15:38:24.830Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Power BI Report Server Spoofing Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43481"
}
],
"title": "Power BI Report Server Spoofing Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2024-43481",
"datePublished": "2024-10-08T17:35:16.076Z",
"dateReserved": "2024-08-14T01:08:33.518Z",
"dateUpdated": "2025-07-08T15:38:24.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-21806 (GCVE-0-2023-21806)
Vulnerability from cvelistv5 – Published: 2023-02-14 19:32 – Updated: 2025-01-01 00:40
VLAI?
Title
Power BI Report Server Spoofing Vulnerability
Summary
Power BI Report Server Spoofing Vulnerability
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Microsoft | Power BI Report Server - January 2023 |
Affected:
15.0.0 , < 15.0.1111.115
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-21806",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-29T15:44:24.016968Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:19:41.434Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T09:51:51.043Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Power BI Report Server Spoofing Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21806"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Power BI Report Server - January 2023",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "15.0.1111.115",
"status": "affected",
"version": "15.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:power_bi_report_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "15.0.1111.115",
"versionStartIncluding": "15.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2023-02-14T08:00:00+00:00",
"descriptions": [
{
"lang": "en-US",
"value": "Power BI Report Server Spoofing Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-01T00:40:44.142Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Power BI Report Server Spoofing Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21806"
}
],
"title": "Power BI Report Server Spoofing Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2023-21806",
"datePublished": "2023-02-14T19:32:40.364Z",
"dateReserved": "2022-12-16T22:13:41.241Z",
"dateUpdated": "2025-01-01T00:40:44.142Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41372 (GCVE-0-2021-41372)
Vulnerability from cvelistv5 – Published: 2021-11-10 00:46 – Updated: 2024-08-04 03:08
VLAI?
Title
Power BI Report Server Spoofing Vulnerability
Summary
A Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability exists when Power BI Report Server Template file (pbix) containing HTML files is uploaded to the server and HTML files are accessed directly by the victim.
Combining these 2 vulnerabilities together, an attacker is able to upload malicious Power BI templates files to the server using the victim's session and run scripts in the security context of the user and perform privilege escalation in case the victim has admin privileges when the victim access one of the HTML files present in the malicious Power BI template uploaded.
The security update addresses the vulnerability by helping to ensure that Power BI Report Server properly sanitize file uploads.
Severity ?
CWE
- Spoofing
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Microsoft | Power BI Report Server version 1.11.8091.10468 |
Affected:
1.0.0.0 , < 15.0.1106.457
(custom)
cpe:2.3:a:microsoft:power_bi_report_server:*:*:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:08:32.244Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41372"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:microsoft:power_bi_report_server:*:*:*:*:*:*:*:*"
],
"platforms": [
"Unknown"
],
"product": "Power BI Report Server version 1.11.8091.10468",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "15.0.1106.457",
"status": "affected",
"version": "1.0.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:power_bi_report_server:*:*:*:*:*:*:*:*"
],
"platforms": [
"Unknown"
],
"product": "Power BI Report Server version 1.12.7977.29537",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "15.0.1107.165",
"status": "affected",
"version": "1.0.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-11-09T08:00:00+00:00",
"descriptions": [
{
"lang": "en-US",
"value": "A Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability exists when Power BI Report Server Template file (pbix) containing HTML files is uploaded to the server and HTML files are accessed directly by the victim.\nCombining these 2 vulnerabilities together, an attacker is able to upload malicious Power BI templates files to the server using the victim\u0027s session and run scripts in the security context of the user and perform privilege escalation in case the victim has admin privileges when the victim access one of the HTML files present in the malicious Power BI template uploaded.\nThe security update addresses the vulnerability by helping to ensure that Power BI Report Server properly sanitize file uploads.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N/E:P/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Spoofing",
"lang": "en-US",
"type": "Impact"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-29T14:47:37.204Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41372"
}
],
"title": "Power BI Report Server Spoofing Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2021-41372",
"datePublished": "2021-11-10T00:46:45",
"dateReserved": "2021-09-17T00:00:00",
"dateUpdated": "2024-08-04T03:08:32.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31984 (GCVE-0-2021-31984)
Vulnerability from cvelistv5 – Published: 2021-07-14 17:53 – Updated: 2024-08-03 23:10
VLAI?
Title
Power BI Remote Code Execution Vulnerability
Summary
Power BI Remote Code Execution Vulnerability
Severity ?
CWE
- Remote Code Execution
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Microsoft | Power BI Desktop |
Affected:
2.0.0.0 , < > 2.94.781.0
(custom)
cpe:2.3:a:microsoft:power_bi_report_server:-:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:10:31.404Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31984"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:microsoft:power_bi_report_server:-:*:*:*:*:*:*:*"
],
"platforms": [
"Unknown"
],
"product": "Power BI Desktop",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "\u003e 2.94.781.0",
"status": "affected",
"version": "2.0.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-07-13T07:00:00+00:00",
"descriptions": [
{
"lang": "en-US",
"value": "Power BI Remote Code Execution Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en-US",
"type": "Impact"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-28T22:36:21.220Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31984"
}
],
"title": "Power BI Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2021-31984",
"datePublished": "2021-07-14T17:53:17",
"dateReserved": "2021-04-30T00:00:00",
"dateUpdated": "2024-08-03T23:10:31.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-26859 (GCVE-0-2021-26859)
Vulnerability from cvelistv5 – Published: 2021-03-11 15:35 – Updated: 2024-08-03 20:33
VLAI?
Title
Microsoft Power BI Information Disclosure Vulnerability
Summary
Microsoft Power BI Information Disclosure Vulnerability
Severity ?
CWE
- Information Disclosure
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Microsoft | Power BI Report Server version 15.0.1103.234 |
Affected:
15.0.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:power_bi_report_server:15.0.1103.234:*:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:33:41.132Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26859"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:microsoft:power_bi_report_server:15.0.1103.234:*:*:*:*:*:*:*"
],
"platforms": [
"Unknown"
],
"product": "Power BI Report Server version 15.0.1103.234",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "15.0.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:power_bi_report_server:15.0.1104.300:*:*:*:*:*:*:*"
],
"platforms": [
"Unknown"
],
"product": "Power BI Report Server version 15.0.1104.300",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "15.0.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-03-09T08:00:00+00:00",
"descriptions": [
{
"lang": "en-US",
"value": "Microsoft Power BI Information Disclosure Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en-US",
"type": "Impact"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-29T20:08:58.257Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26859"
}
],
"title": "Microsoft Power BI Information Disclosure Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2021-26859",
"datePublished": "2021-03-11T15:35:31",
"dateReserved": "2021-02-08T00:00:00",
"dateUpdated": "2024-08-03T20:33:41.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-1173 (GCVE-0-2020-1173)
Vulnerability from cvelistv5 – Published: 2020-05-21 22:53 – Updated: 2024-08-04 06:25
VLAI?
Summary
A spoofing vulnerability exists in Microsoft Power BI Report Server in the way it validates the content-type of uploaded attachments, aka 'Microsoft Power BI Report Server Spoofing Vulnerability'.
Severity ?
No CVSS data available.
CWE
- Spoofing
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Microsoft | Power BI Report Server |
Affected:
unspecified
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T06:25:01.307Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1173"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Power BI Report Server",
"vendor": "Microsoft",
"versions": [
{
"status": "affected",
"version": "unspecified"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A spoofing vulnerability exists in Microsoft Power BI Report Server in the way it validates the content-type of uploaded attachments, aka \u0027Microsoft Power BI Report Server Spoofing Vulnerability\u0027."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Spoofing",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-21T22:53:30",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1173"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@microsoft.com",
"ID": "CVE-2020-1173",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Power BI Report Server",
"version": {
"version_data": [
{
"version_value": ""
}
]
}
}
]
},
"vendor_name": "Microsoft"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A spoofing vulnerability exists in Microsoft Power BI Report Server in the way it validates the content-type of uploaded attachments, aka \u0027Microsoft Power BI Report Server Spoofing Vulnerability\u0027."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Spoofing"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1173",
"refsource": "MISC",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1173"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2020-1173",
"datePublished": "2020-05-21T22:53:30",
"dateReserved": "2019-11-04T00:00:00",
"dateUpdated": "2024-08-04T06:25:01.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-1332 (GCVE-0-2019-1332)
Vulnerability from cvelistv5 – Published: 2019-12-10 21:40 – Updated: 2024-08-04 18:13
VLAI?
Summary
A cross-site scripting (XSS) vulnerability exists when Microsoft SQL Server Reporting Services (SSRS) does not properly sanitize a specially-crafted web request to an affected SSRS server, aka 'Microsoft SQL Server Reporting Services XSS Vulnerability'.
Severity ?
No CVSS data available.
CWE
- Spoofing
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft | SQL Server 2017 Reporting Services |
Affected:
unspecified
|
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T18:13:30.447Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1332"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-1332-Cross-Site%20Scripting-Microsoft%20SQL%20Server%20Reporting%20Services"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SQL Server 2017 Reporting Services",
"vendor": "Microsoft",
"versions": [
{
"status": "affected",
"version": "unspecified"
}
]
},
{
"product": "Power BI Report Server",
"vendor": "Microsoft",
"versions": [
{
"status": "affected",
"version": "unspecified"
}
]
},
{
"product": "SQL Server 2019 Reporting Services",
"vendor": "Microsoft",
"versions": [
{
"status": "affected",
"version": "unspecified"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A cross-site scripting (XSS) vulnerability exists when Microsoft SQL Server Reporting Services (SSRS) does not properly sanitize a specially-crafted web request to an affected SSRS server, aka \u0027Microsoft SQL Server Reporting Services XSS Vulnerability\u0027."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Spoofing",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-15T16:41:46",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1332"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-1332-Cross-Site%20Scripting-Microsoft%20SQL%20Server%20Reporting%20Services"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@microsoft.com",
"ID": "CVE-2019-1332",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SQL Server 2017 Reporting Services",
"version": {
"version_data": [
{
"version_value": ""
}
]
}
},
{
"product_name": "Power BI Report Server",
"version": {
"version_data": [
{
"version_value": ""
}
]
}
},
{
"product_name": "SQL Server 2019 Reporting Services",
"version": {
"version_data": [
{
"version_value": ""
}
]
}
}
]
},
"vendor_name": "Microsoft"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A cross-site scripting (XSS) vulnerability exists when Microsoft SQL Server Reporting Services (SSRS) does not properly sanitize a specially-crafted web request to an affected SSRS server, aka \u0027Microsoft SQL Server Reporting Services XSS Vulnerability\u0027."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Spoofing"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1332",
"refsource": "MISC",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1332"
},
{
"name": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-1332-Cross-Site%20Scripting-Microsoft%20SQL%20Server%20Reporting%20Services",
"refsource": "MISC",
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-1332-Cross-Site%20Scripting-Microsoft%20SQL%20Server%20Reporting%20Services"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2019-1332",
"datePublished": "2019-12-10T21:40:56",
"dateReserved": "2018-11-26T00:00:00",
"dateUpdated": "2024-08-04T18:13:30.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}