Two “dangerous” security vulnerabilities have been disclosed in Microsoft Azure Bastion and Azure Container Registry that could have been exploited to carry out cross-site scripting (XSS) attacks.
“The vulnerabilities allowed unauthorized access to the victim’s session within the compromised Azure service iframe, which can lead to severe consequences, including unauthorized data access, unauthorized modifications, and disruption of the Azure services iframes,” Orca security researcher Lidor Ben Shitrit said in a report shared with The Hacker News.
XSS attacks take place when threat actors inject arbitrary code into an otherwise trusted website, which then gets executed every time when unsuspecting users visit the site.
The two flaws identified by Orca leverage a weakness in the postMessage iframe, which enables cross-origin communication between Window objects.
images from Hacker News