Security News > 2023 > September > Researchers Detail 8 Vulnerabilities in Azure HDInsight Analytics Service

More details have emerged about a set of now-patched cross-site scripting flaws in the Microsoft Azure HDInsight open-source analytics service that could be weaponized by a threat actor to carry out malicious activities.

"The identified vulnerabilities consisted of six stored XSS and two reflected XSS vulnerabilities, each of which could be exploited to perform unauthorized actions, varying from data access to session hijacking and delivering malicious payloads," Orca security researcher Lidor Ben Shitrit said in a report shared with The Hacker News.

The disclosure comes three months after similar shortcomings were reported in the Azure Bastion and Azure Container Registry that could have been exploited for unauthorized data access and modifications.

"An attacker would have to send the victim a malicious file that the victim would have to execute," Microsoft noted in its advisories for the bugs.

"An authorized attacker with guest privileges must send a victim a malicious site and convince them to open it."

"These weaknesses collectively allow an attacker to inject and execute malicious scripts when the stored data is retrieved and displayed to users," Ben Shitrit noted, urging organizations to implement adequate input validation and output encoding to "Ensure that user-generated data is properly sanitized before being displayed in web pages."

News URL

https://thehackernews.com/2023/09/researchers-detail-8-vulnerabilities-in.html