Security News > 2023 > June > Severe Vulnerabilities Reported in Microsoft Azure Bastion and Container Registry

Two "Dangerous" security vulnerabilities have been disclosed in Microsoft Azure Bastion and Azure Container Registry that could have been exploited to carry out cross-site scripting attacks.

"The vulnerabilities allowed unauthorized access to the victim's session within the compromised Azure service iframe, which can lead to severe consequences, including unauthorized data access, unauthorized modifications, and disruption of the Azure services iframes," Orca security researcher Lidor Ben Shitrit said in a report shared with The Hacker News.

In order to exploit these weaknesses, a threat actor would have to conduct reconnaissance on different Azure services to single out vulnerable endpoints embedded within the Azure portal that may have missing X-Frame-Options headers or weak Content Security Policies.

In a proof-of-concept demonstrated by Orca, a specially crafted postMessage was found to be able to manipulate the Azure Bastion Topology View SVG exporter or Azure Container Registry Quick Start to execute an XSS payload. Following responsible disclosure of the flaws on April 13 and May 3, 2023, Microsoft rolled out security fixes to remediate them.

No further action is required on the part of Azure users.

The disclosure comes more than a month after Microsoft plugged three vulnerabilities in the Azure API Management service that could be abused by malicious actors to gain access to sensitive information or backend services.

News URL

https://thehackernews.com/2023/06/severe-vulnerabilities-reported-in.html