Security fixes for Team Foundation Server
Today, we are releasing a fix for a potential cross site scripting (XSS) vulnerability. This impacts Team Foundation Server 2017 and 2018. We have released patches for TFS 2017 Update 3.1, TFS 2018 Update 1.1, and TFS 2018 Update 3. We have also released TFS 2018 Update 3.1, which is a full install that includes this fix.
Customers on TFS 2017 should be sure to upgrade to TFS 2017 Update 3.1 and then install the TFS 2017 Update 3.1 patch.
Those on TFS 2018 RTW or Update 1 should upgrade to TFS 2018 Update 1.1 and then install the TFS 2018 Update 1.1 patch.
If you are on TFS 2018 Update 3, you should install the TFS 2018 Update 3 patch.
Customers on TFS 2018 Update 2 or who would like to be on the latest version of TFS should upgrade to TFS 2018 Update 3.1, which includes this fix. Here are the links:
TFS 2018.3 Release Notes TFS 2018.3.1 Web Installer TFS 2018.3.1 ISO TFS 2018.3.1 Express Web Installer TFS 2018.3.1 Express ISO
TFS 2018 Update 3.1 will also be released to https://my.visualstudio.com. We expect this to be live within a few days.
To verify if you have a patch installed, you can check the versions of the following files: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.Admin.dll [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.VisualStudio.Services.Web.UserManagement.dll
TFS 2018 is installed to c:\Program Files\Microsoft Team Foundation Server 2018 by default. TFS 2017 is installed to c:\Program Files\Microsoft Team Foundation Server 15.0 by default.
After installing patch for TFS 2017 Update 3.1, the version should be 15.117.28224.0 After installing patch for TFS 2018 Update 1.1, the version should be 16.122.28226.4. After installing patch for TFS 2018 Update 3, the version should be 16.131.28224.5.