QID 91837
Date Published: 2021-11-10
QID 91837: Microsoft Power BI Report Server Spoofing Vulnerability - November 2021
A Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability exists when Power BI Report Server Template file (pbix) containing HTML files is uploaded to the server and HTML files are accessed directly by the victim.
Affected Versions:
Power BI Report Server (September 2021)
QID Detection Logic:
This authenticated QID detects vulnerable versions of RSHostingService.exe by fetching the service installed path from the HKLM\SYSTEM\CurrentControlSet\Services\PowerBIReportServer registry key.
Successful exploitation allows an attacker to upload malicious Power BI templates files to the server using the victim's session and run scripts in the security context of the user and perform privilege escalation in case the victim has admin privileges when the victim access one of the HTML files present in the malicious Power BI template uploaded.
- CVE-2021-41372 -
msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41372
CVEs related to QID 91837
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| CVE-2021-41372 |
|