CVE-2021-41372 in Power BI Report Server
Summary
by MITRE • 11/10/2021
A Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability exists when Power BI Report Server Template file (pbix) containing HTML files is uploaded to the server and HTML files are accessed directly by the victim. Combining these 2 vulnerabilities together, an attacker is able to upload malicious Power BI templates files to the server using the victim's session and run scripts in the security context of the user and perform privilege escalation in case the victim has admin privileges when the victim access one of the HTML files present in the malicious Power BI template uploaded. The security update addresses the vulnerability by helping to ensure that Power BI Report Server properly sanitize file uploads.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/25/2026
The vulnerability identified as CVE-2021-41372 represents a critical security flaw in Microsoft Power BI Report Server that combines both cross-site scripting and cross-site request forgery vulnerabilities. This issue arises specifically when Power BI template files containing HTML components are uploaded to the server and subsequently accessed by victims. The vulnerability stems from inadequate input validation and sanitization mechanisms within the Power BI Report Server's file upload processing functionality, creating an attack surface where malicious actors can exploit the system's trust in user-uploaded content.
The technical exploitation of this vulnerability occurs through a sophisticated attack chain that leverages both XSS and CSRF vectors simultaneously. An attacker begins by crafting a malicious Power BI template file containing embedded HTML content with malicious scripts. When an unsuspecting victim accesses the HTML files within this compromised template, the XSS component executes scripts in the victim's browser context, potentially stealing session cookies, credentials, or performing unauthorized actions. The CSRF aspect enables the attacker to upload malicious template files using the victim's authenticated session without their knowledge, effectively bypassing normal access controls and authentication mechanisms. This dual exploitation approach significantly amplifies the attack's effectiveness and potential impact.
The operational impact of CVE-2021-41372 extends beyond simple script execution, as it creates opportunities for privilege escalation when victims possess administrative privileges. The vulnerability allows attackers to execute code within the security context of authenticated users, potentially enabling full system compromise if administrators access the malicious content. This scenario is particularly dangerous in enterprise environments where Power BI Report Server serves as a central platform for business intelligence and data analysis, as it could lead to data exfiltration, system infiltration, or unauthorized access to sensitive business information. The attack's stealth nature, combined with the potential for elevated privileges, makes this vulnerability particularly concerning for organizations relying on Power BI for critical business operations.
Microsoft addressed this vulnerability through enhanced file upload sanitization mechanisms that properly validate and filter HTML content within Power BI template files before processing. The security update implements stricter input validation, content type checking, and HTML sanitization routines that prevent malicious scripts from being executed when HTML files are accessed through the Power BI Report Server interface. This remediation aligns with established cybersecurity practices for preventing XSS vulnerabilities, specifically addressing CWE-79 (Cross-site Scripting) and CWE-352 (Cross-Site Request Forgery) categories. Organizations should prioritize applying this update immediately, as the vulnerability can be exploited without user interaction beyond accessing the malicious content, making it particularly dangerous in environments where users regularly access Power BI reports and templates. The mitigation strategy also emphasizes the importance of implementing principle of least privilege access controls and regular security assessments for Power BI environments to prevent similar vulnerabilities from emerging in other components of the system.