Sign in with Microsoft
Sign in or create an account.
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Problem description

Missing input validation and output encoding allows JavaScript injection, leading to Reflected Cross Site Scripting (XSS).

Reflected Cross Site Scripting may be used to inject arbitrary JavaScript to the Microsoft System Center 2016 authenticated page. One may intercept the below GET request and modify the SpaceID to inject arbitrary strings into the left navigation pane of the web console.

GET/OperationsManager/InternalPages/NavigationTree.aspx?SpaceId=1002&ViewId=Favorites_Overview HTTP/1.1

Here is an example of an arbitrary string:


A malicious JavaScript, once injected, can modify the current behavior of the page and deliver: trojans, force malicious redirections, content spoofing, keyloggers, content leakage, VIEWSTATE and validators’ tokens leakage (defeating anti-CSRF controls), etc.

The attack constitutes of the following steps

  1. An attacker crafts a specific authenticated GET request of System Center with XSS payload and either tricks the victim to access the special URL or tricks the user to access a phishing scam that triggers the specific request.

  2. The authenticated victim loads/reloads the homepage.

Note: The attack is applicable to any viewID value and every request with SpaceID query string parameter.

Test case

Expected result: Invalid SpaceID error or empty pane and no execution of random JavaScript

Outcome: Arbitrary JavaScript executed.


Implement strict input validation. Only integers are accepted as SpaceID, so the data type check against the input is sufficient to remediate the vulnerability.

We have added a check to ensure that the SpaceID is a supported value only (1001 and 1002), else the data in the tree is empty.


See the security guidance advisory on CVE-2020-1331.

Security classification

Reflected Cross Site Scripting, Content Spoofing

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!