Endpoint Vulnerability

Microsoft: MDS API XSS Vulnerability


A cross-site scripting vulnerability exists in SQL Server MDS that could allow an attacker to inject a client-side script into the user's browser instance. The vulnerability is caused when the SQL Server MDS does not properly validate a request parameter on the SQL Server site. The script could spoof content, disclose information, or take any action that the user could take on the site on behalf of the targeted user. To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it. The security update addresses the vulnerability by correcting how SQL Server MDS validates the request parameter.

Affected Products

Microsoft SQL Server 2016 for x64-based Systems (CU),Microsoft SQL Server 2016 for x64-based Systems