Fleet Device Management Windows MDM Unauthenticated Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Fleet device management software, specifically in versions prior to 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3. When Windows Mobile Device Management (MDM) is enabled, an unauthenticated attacker can exploit this vulnerability to steal an administrator's authentication token from localStorage. This could lead to unauthorized access to Fleet, including administrative privileges, visibility into device data, and the ability to modify configurations. The vulnerability does not allow unauthenticated access and is not present when Windows MDM is disabled.

Impact

Exploitation of this vulnerability could allow an attacker to retrieve a Fleet administrator's authentication token, potentially leading to unauthorized administrative access on the Fleet platform. This access would include the ability to view and manage device data and configurations. Additionally, according to the advisory, such exploitation could allow an attacker to deploy scripts to managed hosts.

Remediation

Users can upgrade to Fleet versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, or 4.53.3 to address this vulnerability. If an immediate upgrade is not possible, Windows MDM can be temporarily disabled.