More details person emerged astir a acceptable of now-patched cross-site scripting (XSS) flaws successful the Microsoft Azure HDInsight open-source analytics work that could beryllium weaponized by a menace histrion to transportation retired malicious activities.
"The identified vulnerabilities consisted of six stored XSS and 2 reflected XSS vulnerabilities, each of which could beryllium exploited to execute unauthorized actions, varying from information entree to league hijacking and delivering malicious payloads," Orca information researcher Lidor Ben Shitrit said successful a study shared with The Hacker News.
The issues were addressed by Microsoft arsenic portion of its Patch Tuesday updates for August 2023.
The disclosure comes 3 months aft akin shortcomings were reported successful the Azure Bastion and Azure Container Registry that could person been exploited for unauthorized information entree and modifications.
The database of flaws is arsenic follows -
- CVE-2023-35393 (CVSS score: 4.5) - Azure Apache Hive Spoofing Vulnerability
- CVE-2023-35394 (CVSS score: 4.6) - Azure HDInsight Jupyter Notebook Spoofing Vulnerability
- CVE-2023-36877 (CVSS score: 4.5) - Azure Apache Oozie Spoofing Vulnerability
- CVE-2023-36881 (CVSS score: 4.5) - Azure Apache Ambari Spoofing Vulnerability
- CVE-2023-38188 (CVSS score: 4.5) - Azure Apache Hadoop Spoofing Vulnerability
"An attacker would person to nonstop the unfortunate a malicious record that the unfortunate would person to execute," Microsoft noted successful its advisories for the bugs. "An authorized attacker with impermanent privileges indispensable nonstop a unfortunate a malicious tract and person them to unfastened it."
XSS attacks hap erstwhile an adversary injects rogue scripts into a morganatic website, which subsequently get executed connected victims' web browsers erstwhile visiting the site. While reflected XSS targets users who are tricked into clicking connected a fraudulent link, Stored XSS is embedded successful a web leafage and affects each users accessing it.UPCOMING WEBINAR
Identity is the New Endpoint: Mastering SaaS Security successful the Modern Age
Dive heavy into the aboriginal of SaaS information with Maor Bin, CEO of Adaptive Shield. Discover wherefore individuality is the caller endpoint. Secure your spot now.Supercharge Your Skills
The unreality information steadfast said that each the flaws stem from a deficiency of due input sanitization that makes it imaginable to render malicious characters upon loading the dashboard.
"These weaknesses collectively let an attacker to inject and execute malicious scripts erstwhile the stored information is retrieved and displayed to users," Ben Shitrit noted, urging organizations to instrumentality capable input validation and output encoding to "ensure that user-generated information is decently sanitized earlier being displayed successful web pages."