Script injection of certain symbols bypass portal UI restrictions in Update Rollup 13 for Windows Azure Pack

Applies to: Windows Azure Pack (on Windows

Symptoms


A security vulnerability exists in Update Rollup 13 for Windows Azure Pack (WAP) that causes script injection of certain symbols to bypass portal UI restrictions. The portal UI restricts certain symbols such as greater than ( < ) and less than ( > ) symbols that are needed for “<script>” injection.

By replaying a request in Fiddler, strings that contain characters such as < and > can be sent as the subscription name. The SubscriptionName field can be set to any string up to 128 characters. In this scenario, you can load and run various scripts such as <script src="https://code.jquery.com/jquery-1.10.2.min.js"> or <script>alert(document.cookie)</script>.

To learn more about this vulnerability, see Microsoft Common Vulnerabilities and Exposures CVE-2018-8652.

Resolution


Download information

Update packages for Windows Azure Pack are available from Microsoft Update or by manual download.

Microsoft Update

This security update is available through Windows Update. When you turn on automatic updating, this security update will be downloaded and installed automatically. For more information about how to get security updates automatically, see Windows Update: FAQ.

Manual download of the update package

Go to the following website to manually download the security update package from the Microsoft Update Catalog:

Installation information