CVE-2023-29347: 
Windows Admin Center vulnerability analysis and mitigation

Windows Admin Center (WAC) was found to contain a spoofing vulnerability identified as CVE-2023-29347. The vulnerability affects versions prior to 1.5.2306.14001 and was disclosed in July 2023. Windows Admin Center is a customer-deployed, browser-based application used for managing servers, clusters, hyper-converged infrastructure, and Windows 10 PCs (Tenable Blog).

The vulnerability exists in the web server component of Windows Admin Center, where malicious scripts can be executed on a victim's browser. An attacker can exploit this vulnerability through multiple vectors: by importing malicious scripts into the WAC HTML form, through a .csv file imported to the user interface, or through the WAC API. The vulnerability received a CVSS v3.1 base score of 8.7 (High) from Microsoft, with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H (NVD).

Successful exploitation of this vulnerability allows an attacker to perform operations on the WAC server using the privileges of the victim. The vulnerability affects both the integrity and availability of the system (Tenable Blog).

Microsoft has released a security update to address this vulnerability. Users are advised to upgrade to Windows Admin Center version 1.5.2306.14001 or later. The patch is available through the official Windows Admin Center download page (Tenable Blog).