CVE-2024-35267 is a cross-site scripting (XSS) vulnerability classified under CWE-79 affecting Microsoft Azure DevOps Server 2022, specifically version 20231128.1. The vulnerability results from improper neutralization of user-supplied input during web page generation, which allows an attacker to inject malicious scripts into web pages viewed by other users. Exploitation requires the attacker to have some level of privileges (PR:L) and user interaction (UI:R), such as tricking a user into clicking a crafted link or viewing a manipulated page. The vulnerability impacts confidentiality and integrity severely by enabling theft of authentication tokens, session cookies, or execution of unauthorized actions on behalf of the victim user. The availability impact is low. The CVSS 3.1 base score is 7.6, indicating a high severity level due to network attack vector (AV:N), low attack complexity (AC:L), and significant impact on confidentiality and integrity (C:H/I:H). No public exploits are known yet, but the vulnerability is publicly disclosed and should be considered a serious risk. Azure DevOps Server is widely used for software development lifecycle management, making this vulnerability particularly concerning for organizations relying on it for code repositories, build pipelines, and project management.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive development data, including source code, build configurations, and project management information. Exploitation could lead to unauthorized access to internal development environments, intellectual property theft, and potential insertion of malicious code into software builds. This could further cascade into supply chain attacks affecting downstream customers. The requirement for some privileges and user interaction limits the attack surface but does not eliminate risk, especially in large organizations with many users and complex workflows. The low availability impact means systems remain operational but compromised. Given the critical role of Azure DevOps Server in software development, disruption or compromise could have wide-reaching operational and reputational consequences for European enterprises, particularly in sectors like finance, manufacturing, and technology where software integrity is paramount.

Organizations should immediately inventory their Azure DevOps Server 2022 deployments to identify affected versions (20231128.1). Although no patch links are currently provided, monitoring Microsoft’s official security advisories for patches is critical. In the interim, implement strict input validation and output encoding on all user-supplied data within Azure DevOps Server customizations or extensions. Employ Content Security Policy (CSP) headers to restrict script execution sources and reduce XSS impact. Limit user privileges to the minimum necessary to reduce the potential attacker foothold. Educate users to recognize and avoid suspicious links or content that could trigger XSS attacks. Regularly audit logs for unusual activity indicative of exploitation attempts. Consider network segmentation and multi-factor authentication to further reduce risk. Once patches are available, prioritize their deployment in all affected environments.