Security
Headlines
HeadlinesLatestCVEs

Tag

#Security Vulnerability

CVE-2021-3450: OpenSSL: CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT

*Why is this OpenSSL Software Foundation CVE included in the Security Update Guide?* The vulnerability assigned to this CVE is in OpenSSL Software which is consumed by Microsoft Visual Studio. It is being documented in the Security Update Guide to announce that the latest builds of Visual Studio are no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

Microsoft Security Response Center
#Visual Studio#Security Vulnerability#vulnerability#microsoft
CVE-2021-41361: Active Directory Federation Server Spoofing Vulnerability

*How could an attacker exploit this vulnerability?* The ADFS (Active Directory Federation Services) services are vulnerable during the logout redirect request to cross-site scripting of the post logout redirect URI. An attacker who successfully exploited this vulnerability could leave an application using this ADFS library vulnerable to common XSS attacks.

CVE-2021-41355: .NET Core and Visual Studio Information Disclosure Vulnerability

*What type of information could be disclosed by this vulnerability?* The type of information that could be disclosed if an attacker successfully exploited this vulnerability is sensitive information.

CVE-2021-40475: Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability

*What type of information could be disclosed by this vulnerability?* The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.

CVE-2021-40457: Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability

*The CVSS Score says user action is required. What type of user action is required?* A user would have to open a maliciously crafted email sent to Dynamics 365 Customer Engagement.

CVE-2021-40456: Windows AD FS Security Feature Bypass Vulnerability

*What security feature could be bypassed by exploiting this vulnerability?* This vulnerability could allow an attacker to bypass ADFS BannedIPList entries for WS-Trust workflows.

CVE-2021-40454: Rich Text Edit Control Information Disclosure Vulnerability

*What type of information could be disclosed by this vulnerability?* An attacker that successfully exploited this vulnerability could recover cleartext passwords from memory.

CVE-2021-41363: Intune Management Extension Security Feature Bypass Vulnerability

*Are there any pre-requisites for this vulnerability to be exploited in Intune Management Extension?* This vulnerability only exists when Intune Management Extension is enabled as managed installer. Enabling IME as managed installer requires local administrator privileges. *What should I do to protect myself from this vulnerability?* No action is required. As soon as the client connects to the service, it automatically receives a message to update.

CVE-2021-41352: SCOM Information Disclosure Vulnerability

*In what instances do I need to install the security update for this vulnerability?* This vulnerability only affects machines that have the SCOM web console installed. SCOM web console server machines should have this update installed to be protected from the vulnerability. *Do I need to install the update if my machine is not set up as a web console server?* No. Customers whose machines are not SCOM web console server machines do not need to install this update.

CVE-2021-41343: Windows Fast FAT File System Driver Information Disclosure Vulnerability

*What type of information could be disclosed by this vulnerability?* The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.