VDB
GCVE-110-CLOUD-2022-0006
GCVE-110-CLOUD-2022-0006
Advisory Published
Binary Security discovered and registered two dangling cloudapp.azure.com
subdomains corresponding to subdomains at visualstudio.com. Had these been
discovered and registered by an attacker, this would have been equivalent
to a 1-click vulnerability for Azure DevOps: the attacker could have crafted
a URL referring to the sign-in API for Azure DevOps Services (app.vssps.visualstudio.com)
using one of the two subdomains in the "reply_to" field (since subdomains
of visualstudio.com would be allowed by the API). If clicked on by a target
Azure DevOps user, this would have sent an authentication token to an
attacker-controlled server, thereby allowing account takeover.
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| Azure | DevOps | — | — |
| Azure | Cloud Services | — | — |
Browse GCVE Records
73,053 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.