Researchers have unveiled additional details about eight cross-site scripting (XSS) vulnerabilities in Microsoft’s Azure HDInsight open-source analytics service, which have now been patched. These vulnerabilities comprised six stored XSS and two reflected XSS flaws, each with the potential for unauthorized actions, including data access, session hijacking, and deploying malicious payloads, according to Orca security researcher Lidor Ben Shitrit.
Microsoft addressed these issues as part of its August 2023 Patch Tuesday updates. This disclosure follows previous reports of security issues in Azure Bastion and Azure Container Registry, underscoring the importance of input validation and output encoding to prevent such attacks.
The identified vulnerabilities are part of a list that includes CVE-2023-35393, CVE-2023-35394, CVE-2023-36877, CVE-2023-36881, and CVE-2023-38188, each with varying CVSS scores.
To exploit these vulnerabilities, an attacker would need to trick the victim into executing a malicious file or site, especially an authorized attacker with guest privileges. These vulnerabilities are a type of XSS attack, which involves injecting rogue scripts into a legitimate website, leading to their execution on the victims’ web browsers.
While reflected XSS affects users who click on fraudulent links, stored XSS is embedded in a webpage and affects all users who access it. The vulnerabilities stem from a lack of proper input sanitation, which allows malicious characters to be executed when users retrieve and view stored data on the dashboard.
To mitigate these weaknesses, organizations are encouraged to implement robust input validation and output encoding procedures to ensure user-generated data is thoroughly sanitized before being displayed on web pages, as emphasized by Ben Shitrit.
These vulnerabilities underline the ongoing risks associated with XSS attacks and the importance of promptly patching and securing services to prevent unauthorized access and data breaches.