- "기밀 VM의 빈틈을 메운다" 마이크로소프트의 오픈소스 파라바이저 '오픈HCL'란?
- The best early Black Friday AirPods deals: Shop early deals
- The 19 best Black Friday headphone deals 2024: Early sales live now
- I tested the iPad Mini 7 for a week, and its the ultraportable tablet to beat at $100 off
- The best Black Friday deals 2024: Early sales live now
Researchers Uncover XSS Vulnerabilities in Azure Services
Cybersecurity experts at Orca Security have identified two critical cross-site scripting (XSS) vulnerabilities in Microsoft Azure services.
The flaws, which exploited a weakness in the postMessage iframe, could have exposed Azure users to potential security breaches.
The vulnerabilities were found in Azure Bastion and Azure Container Registry – two commonly used services in the Azure ecosystem.
“Despite several Azure security enhancements to mitigate the postMessage iframe XSS vulnerability, we still managed to uncover two Azure services – Azure Bastion and Azure Container Registry – that were exploitable via this vulnerability,” Orca wrote in a report published today.
The first of these lies in the mishandling of the postMessage handler, which allowed attackers to exploit three distinct postMessage cases.
By sending a specially crafted postMessage, attackers could execute malicious scripts, potentially compromising user sessions and sensitive data.
Meanwhile, the Azure Container Registry flaw allowed attackers to inject and execute arbitrary scripts within the context of the container registry.
This enabled them to manipulate the behavior of the affected web application and potentially steal sensitive information or perform unauthorized actions.
“The vulnerabilities allowed unauthorized access to the victim’s session within the compromised Azure service iframe, which can lead to severe consequences, including unauthorized data access, unauthorized modifications, and disruption of the Azure services iframes,” Orca wrote.
The company promptly reported the vulnerabilities to Microsoft: “Upon discovery of these vulnerabilities, we immediately informed the Microsoft Security Response Center (MSRC), who were able to reproduce the issues.”
“Both vulnerabilities have now been fixed and verified – with no further action required by Azure users,” reads the report.
Its publication comes three months after Orca Security disclosed information about a separate flaw in Microsoft’s Azure Service Fabric Explorer (SFX) they called “Super FabriXss.”
Editorial image credit: Postmodern Studio / Shutterstock.com