CVE-2020-0700: 
vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability exists in Azure DevOps Server, identified as CVE-2020-0700, due to improper sanitization of user-provided input. The vulnerability affects multiple versions of Azure DevOps Server 2019 and Team Foundation Server (MITRE CVE).

The vulnerability occurs when Azure DevOps Server fails to properly sanitize user-provided input. An authenticated attacker could exploit this vulnerability by sending a specially crafted payload to the Team Foundation Server, which would then execute in the security context of the user whenever they visit the compromised page (BLEEPING COMPUTER).

The successful exploitation of this vulnerability could allow an attacker to perform cross-site scripting attacks on affected systems and execute scripts in the security context of the current user. This could enable the attacker to read unauthorized content, execute malicious code, and perform actions on behalf of the victim user, including changing permissions and deleting content (BLEEPING COMPUTER).

Microsoft has addressed this vulnerability by ensuring that Azure DevOps Server properly sanitizes user inputs. The fix is available through security updates for affected versions of Azure DevOps Server 2019 and Team Foundation Server (BLEEPING COMPUTER).