CVE Daily
← All tags

Tag: Azure DevOps Server

All CVEs associated with "Azure DevOps Server". Page 1/1 • 40 CVEs.

About “Azure DevOps Server”

A curated feed of “Azure DevOps Server”-related CVEs appears below. We currently track 40 CVEs for this tag (all time). In the last 365 days, 1 were published. Average CVSS is 6.7 (all time; 6.5 over 365d), and 38% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-918 - Server-Side Request Forgery (SSRF).

In our taxonomy this topic maps to a MODERATE impact class. Developer and CI or CD tooling touches supply chains and secrets. Patch controllers and agents, enforce SSO or MFA, rotate tokens, isolate runners, and audit plugins. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: azure-devops-server

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

CycleReleaseLatestPremier SupportEOLLTS
continuousPatch 4Unavailable-
2022.22022.2patch9
2022.12022.1patch4
2022.02022.0.1patch5
2020.12020.1.2patch19
2020.02020.0.2patch6
2019.12019.1.2patch13
2019.02019.0.1patch16
20182018.3.2patch20
20172017.3.1patch15
20152015.4.2patch8 Expired
20132013.5 Expired
20122012.4 Expired
20102010.SP1 Expired
20052005.SP2 Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS  ·  RSS (expired)  ·  ICS

Subscribe CVEs: RSS for “Azure DevOps Server”  ·  RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-02-10
Medium

CVE-2026-21512

Server-side request forgery (ssrf) in Azure DevOps Server allows an authorized attacker to perform spoofing over a network.

CVSS: 6.5 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
2024-07-09
High

CVE-2024-35267

Azure DevOps Server Spoofing Vulnerability

CVSS: 7.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2024-35266

Azure DevOps Server Spoofing Vulnerability

CVSS: 7.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2024-02-13
High

CVE-2024-20667

Azure DevOps Server Remote Code Execution Vulnerability

CVSS: 7.5 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2023-12-14
Medium

CVE-2023-21751

Azure DevOps Server Spoofing Vulnerability

CVSS: 6.5 CWE: CWE-284 - Improper Access Control View on NVD
2023-11-14
High

CVE-2023-36437

Azure DevOps Server Remote Code Execution Vulnerability

CVSS: 8.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2023-10-10
High

CVE-2023-36561

Azure DevOps Server Elevation of Privilege Vulnerability

CVSS: 7.3 CWE: CWE-284 - Improper Access Control View on NVD
2023-09-12
High

CVE-2023-38155

Azure DevOps Server Remote Code Execution Vulnerability

CVSS: 7.0 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
High

CVE-2023-33136

Azure DevOps Server Remote Code Execution Vulnerability

CVSS: 8.8 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2023-08-08
Medium

CVE-2023-36869

Azure DevOps Server Spoofing Vulnerability

CVSS: 6.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2023-06-14
Medium

CVE-2023-21569

Azure DevOps Server Spoofing Vulnerability

CVSS: 5.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2023-21565

Azure DevOps Server Spoofing Vulnerability

CVSS: 7.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2023-03-28
Medium

CVE-2023-25722

A credential-leak issue was discovered in related Veracode products before 2023-03-27. Veracode Scan Jenkins Plugin before 23.3.19.0, when configured for remote agent jobs, invokes the Veracode Java…

CVSS: 5.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2023-02-14
High

CVE-2023-21553

Azure DevOps Server Remote Code Execution Vulnerability

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2023-21564

Azure DevOps Server Cross-Site Scripting Vulnerability

CVSS: 7.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2021-04-13
Medium

CVE-2021-28459

Azure DevOps Server Spoofing Vulnerability

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2021-27067

Azure DevOps Server and Team Foundation Server Information Disclosure Vulnerability

CVSS: 6.5 CWE: N/A View on NVD
2020-12-10
Medium

CVE-2020-17145

Azure DevOps Server and Team Foundation Services Spoofing Vulnerability

CVSS: 5.4 CWE: N/A View on NVD
Medium

CVE-2020-17135

Azure DevOps Server Spoofing Vulnerability

CVSS: 6.4 CWE: N/A View on NVD
2020-11-11
Medium

CVE-2020-1325

Azure DevOps Server and Team Foundation Services Spoofing Vulnerability

CVSS: 5.4 CWE: N/A View on NVD
2020-07-14
Medium

CVE-2020-1326

A Cross-site Scripting (XSS) vulnerability exists when Azure DevOps Server does not properly sanitize user provided input, aka 'Azure DevOps Server Cross-site Scripting Vulnerability'.

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2020-06-09
Medium

CVE-2020-1327

A spoofing vulnerability exists in Microsoft Azure DevOps Server when it fails to properly handle web requests, aka 'Azure DevOps Server HTML Injection Vulnerability'.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2020-03-12
High

CVE-2020-0815

An elevation of privilege vulnerability exists when Azure DevOps Server and Team Foundation Services improperly handle pipeline job tokens, aka 'Azure DevOps Server and Team Foundation Services Eleva…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2020-0758

An elevation of privilege vulnerability exists when Azure DevOps Server and Team Foundation Services improperly handle pipeline job tokens, aka 'Azure DevOps Server and Team Foundation Services Eleva…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2020-0700

A Cross-site Scripting (XSS) vulnerability exists when Azure DevOps Server does not properly sanitize user provided input, aka 'Azure DevOps Server Cross-site Scripting Vulnerability'.

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2019-09-11
Critical

CVE-2019-1306

A remote code execution vulnerability exists when Azure DevOps Server (ADO) and Team Foundation Server (TFS) fail to validate input properly, aka 'Azure DevOps and Team Foundation Server Remote Code…

CVSS: 9.8 CWE: CWE-20 - Improper Input Validation View on NVD
2019-07-15
Critical

CVE-2019-1072

A remote code execution vulnerability exists when Azure DevOps Server and Team Foundation Server (TFS) improperly handle user input, aka 'Azure DevOps Server and Team Foundation Server Remote Code Ex…

CVSS: 9.8 CWE: CWE-20 - Improper Input Validation View on NVD
2019-06-12
Medium

CVE-2019-0996

A spoofing vulnerability exists in Azure DevOps Server when it improperly handles requests to authorize applications, resulting in a cross-site request forgery. An attacker who successfully exploited…

CVSS: 6.5 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2019-05-16
Medium

CVE-2019-0979

A Cross-site Scripting (XSS) vulnerability exists when Azure DevOps Server and Team Foundation Server do not properly sanitize user provided input, aka 'Azure DevOps Server and Team Foundation Server…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2019-0971

An information disclosure vulnerability exists when Azure DevOps Server and Microsoft Team Foundation Server do not properly sanitize a specially crafted authentication request to an affected server,…

CVSS: 6.5 CWE: CWE-116 - Improper Encoding or Escaping of Output View on NVD
Medium

CVE-2019-0872

A Cross-site Scripting (XSS) vulnerability exists when Azure DevOps Server and Team Foundation Server do not properly sanitize user provided input, aka 'Azure DevOps Server and Team Foundation Server…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2019-04-09
High

CVE-2019-0875

An elevation of privilege vulnerability exists when Azure DevOps Server 2019 does not properly enforce project permissions, aka 'Azure DevOps Server Elevation of Privilege Vulnerability'.

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2019-0874

A Cross-site Scripting (XSS) vulnerability exists when Azure DevOps Server does not properly sanitize user provided input, aka 'Azure DevOps Server Cross-site Scripting Vulnerability'.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2019-0871

A Cross-site Scripting (XSS) vulnerability exists when Azure DevOps Server and Team Foundation Server do not properly sanitize user provided input, aka 'Azure DevOps Server and Team Foundation Server…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2019-0870

A Cross-site Scripting (XSS) vulnerability exists when Azure DevOps Server and Team Foundation Server do not properly sanitize user provided input, aka 'Azure DevOps Server and Team Foundation Server…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2019-0869

A spoofing vulnerability exists in Microsoft Azure DevOps Server when it fails to properly handle web requests, aka 'Azure DevOps Server HTML Injection Vulnerability'.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2019-0868

A Cross-site Scripting (XSS) vulnerability exists when Azure DevOps Server and Team Foundation Server do not properly sanitize user provided input, aka 'Azure DevOps Server and Team Foundation Server…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2019-0867

A Cross-site Scripting (XSS) vulnerability exists when Azure DevOps Server and Team Foundation Server do not properly sanitize user provided input, aka 'Azure DevOps Server and Team Foundation Server…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2019-0866

A Cross-site Scripting (XSS) vulnerability exists when Azure DevOps Server and Team Foundation Server do not properly sanitize user provided input, aka 'Azure DevOps Server and Team Foundation Server…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2019-0857

A spoofing vulnerability that could allow a security feature bypass exists in when Azure DevOps Server does not properly sanitize user provided input, aka 'Azure DevOps Server Spoofing Vulnerability'.

CVSS: 6.5 CWE: CWE-116 - Improper Encoding or Escaping of Output View on NVD
CVE Daily Lookup — auto-links CVE IDs on any page you visit. GitHub, Jira, Confluence & more. Free.
Chrome Firefox