CVE-2021-41372: 
vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability (CVE-2021-41372) was discovered in Power BI Report Server Template file (pbix) handling. The vulnerability was disclosed on November 9, 2021, affecting Power BI Report Server versions (September 2021) 1.12.7936.39665 and (May 2021) 1.11.7815.26414 (NVD, Microsoft Support).

The vulnerability occurs when Power BI Report Server Template files containing HTML files are uploaded to the server and accessed directly by victims. The vulnerability received a CVSS v3.1 base score of 9.6 (Critical) from NVD and 7.6 (High) from Microsoft. The vulnerability is tracked under CWE-79 (Cross-site Scripting) and CWE-352 (Cross-Site Request Forgery) (NVD).

Successful exploitation allows attackers to upload malicious Power BI templates files to the server using the victim's session and run scripts in the security context of the user. If the victim has admin privileges when accessing HTML files present in the malicious Power BI template, privilege escalation is possible (Qualys).

Microsoft addressed the vulnerability by releasing security updates that help ensure Power BI Report Server properly sanitizes file uploads. The affected versions were updated to Power BI Report Server (September 2021) version 15.0.1107.165 and Power BI Report Server (May 2021) version 15.0.1106.457 (Microsoft Support).