CVE-2020-26870: Visual Studio Remote Code Execution Vulnerability

Overview

Severity: High (CVSS 7)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Category: Remote Code Execution
Exploit Status: Not Exploited
Exploitation Likelihood: Less Likely
Patch Tuesday: 2021-Jan
Released: 2021-01-12
EPSS Score: 0.42% (percentile: 61.7%)

FAQ

Why is a CVE that was issued by the MITRE Corporation in the Security Update Guide? CVE-2020-26870 documents a vulnerability in Cure53 DOMPurify which is open source software used by Visual Studio. The documented Visual Studio updates incorporate the updates in Cure53 DOMPurify which address the vulnerability.

Affected Products (5)

Developer Tools

Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
Microsoft Visual Studio 2019 version 16.0
Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3)
Microsoft Visual Studio 2019 version 16.8
Microsoft Visual Studio 2019 version 16.7 (includes 16.0 – 16.6)

Security Updates (5)

Revision History

2021-01-12: Information published.