CVE-2021-41372

Name of the Vulnerable Software and Affected Versions Power BI Report Server (affected versions not specified)

Description The issue is related to errors in the user interface's representation of information. It involves a Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability that occurs when a Power BI Report Server Template file (pbix) containing HTML files is uploaded to the server and the HTML files are accessed directly by the victim. This allows an attacker to upload malicious Power BI template files to the server using the victim's session, run scripts in the security context of the user, and potentially perform privilege escalation if the victim has admin privileges. The security update addresses the issue by ensuring that Power BI Report Server properly sanitizes file uploads.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.