Issue 1 - ZeroClipboard cross-site scripting vulnerability
The pre-9.1 versions of WAP include a version of ZeroClipboard (v 1.1.7) that is vulnerable to cross-site scripting (XSS). Security Update Rollup 9.1 for WAP includes updated ZeroClipboard version 1.3.5, which resolves this vulnerability. You can find details about it
here.
Impact ZeroClipboard is found in the Admin and Tenant portals, and in the Tenant Authentication service. This vulnerability can be exploited on all these services. A service provider will usually keep the Admin portal inaccessible by tenants, but the Tenant portal and the Tenant Auth service are typically made available to tenants. Be aware that the Tenant Auth service isn't supported in production deployments. If an attack is successful, the adversary can run anything that a WAP administrator or tenant user can run in the application. The adversary could also build upon this bug and attack the browser or workstation of the victim, or create or access tenant resources (such as virtual machines or SQL Server). Because the federated authentication server is also vulnerable, other attack options might also be available.
Issue 2 - Tenant Public API service vulnerability
In the pre-9.1 versions of WAP, an active tenant attacker can upload a certificate through the Public Tenant API service and associate it with a target tenant's subscription ID. This lets the attacker gain access to the target tenant resources. Update Rollup 9.1 blocks such an attack.
Impact An adversary can use this to access the WAP tenant Public API service. However, in order to do so, the attacker must know the subscriptionId of the victim. There's at least one possible scenario for an adversary to gain access to the subscriptionId. The application lets administrators create co-admins. When someone signs in as co-admin, they get to know the subscriptionId. If this co-admin is later removed, they can perform the attack.