MS15-036: Description of the security update for Project Server 2013: April 14, 2015

Introduction

This update resolves vulnerabilities that could allow elevation of privilege if an attacker sends a specially crafted request to an affected Microsoft Project Server 2013. The attacker who successfully exploited these vulnerabilities could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. An attacker who successfully exploited the vulnerabilities could read content that the attacker is not authorized to read, use the victim's identity to take actions on behalf of the victim (such as change permissions and delete content), and insert malicious content in the victim’s browser.

Improvements and fixes

This update also contains fixes for the following nonsecurity issues and improvements:
  • Translates some Russian language UI elements for Project Server 2013 to guarantee accuracy of meaning. This improvement also provides consistency with the Project Professional 2013 client.  For example, these elements translate "Рабочий" to "Трудозатраты".
  • An AD group that is used to synchronize users in Project Web App (this includes a Disabled account for a user) does not inactivate that user in Project Web App.  Additionally, the AD Sync job may partially fail.
  • Formula values may not be calculated for a project field on the project details page in Project Web App until you publish the project.
  • Improves security for cross-site scripting (XSS) on project detail pages.
  • Assume that you try to create a new site from the Connected SharePoint Sites page for an existing project plan. If a web application that you use has a managed path, the site is not created, and the Prepare Project Web App Permission Synchronization For Projects job is displayed as Failed But Not Blocking Correlation on the Manage Queue Jobs page.
  • When you open the Connected SharePoint Sites page in a site collection that has lots of projects, the page takes a long time to load or may time out.
  • When you try to access a view for which you have permissions, you receive an "access denied" error if you do not have permissions to view the default My Assignments view.

Summary

 Microsoft has released security bulletin MS15-036. Learn more about how to obtain the fixes that are included in this security bulletin: 

How to obtain help and support for this security update

Help installing updates: Support for Microsoft Update

Security solutions for IT professionals: TechNet Security Troubleshooting and Support

Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center

Local support according to your country: International Support

More information about this security update

Download information

This update is available for download from the Microsoft Download Center.

Restart information

You may have to restart the computer after you install this security update.

In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, you will receive a message that advises you to restart the computer.

To help reduce the possibility that a restart will be required, stop all affected services and close all applications that may use the affected files before you install this security update.

Learn about why you may be prompted to restart your computer after you install a security update on a Windows-based computer.

Prerequisites to install this security update

To install this security update, you must have Service Pack 1 for Project Server 2013 installed on the computer.

Removal information

This security update cannot be removed.

Security update replacement information

This security update replaces update 2760236.
File information
Properties

Article ID: 2965278 - Last Review: Feb 16, 2017 - Revision: 2

Microsoft Project Server 2013, Microsoft Project Server 2013 Service Pack 1

Feedback