CVE-2019-0996

Severity CVSS v4.0:
Pending analysis
Type:
CWE-352 Cross-Site Request Forgery (CSRF)
Publication date:
12/06/2019
Last modified:
20/05/2025

Description

A spoofing vulnerability exists in Azure DevOps Server when it improperly handles requests to authorize applications, resulting in a cross-site request forgery. An attacker who successfully exploited this vulnerability could bypass OAuth protections and register an application on behalf of the targeted user.<br /> To exploit this vulnerability, an attacker would need to create a page specifically designed to cause a cross-site request. The attacker would then need to convince a targeted user to click a link to the malicious page.<br /> The update addresses the vulnerability by modifying how Azure DevOps Server protects application registration requests.

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:microsoft:azure_devops_server:2019:*:*:*:*:*:*:*